CVE-2025-15412

MEDIUM 5.3

WebAssembly wabt wasm-decompile VarName out-of-bounds

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.

CWE	CWE-125 CWE-119
Vendor	webassembly
Product	wabt
Published	Jan 1, 2026
Last Updated	Feb 23, 2026

Stay Ahead of the Next One

Get instant alerts for webassembly wabt

Be the first to know when new medium vulnerabilities affecting webassembly wabt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

WebAssembly / wabt

1.0.0 1.0.1 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.0.7 1.0.8 1.0.9 1.0.10 1.0.11 1.0.12 1.0.13 1.0.14 1.0.15 1.0.16 1.0.17 1.0.18 1.0.19 1.0.20 1.0.21 1.0.22 1.0.23 1.0.24 1.0.25 1.0.26 1.0.27 1.0.28 1.0.29 1.0.30 1.0.31 1.0.32 1.0.33 1.0.34 1.0.35 1.0.36 1.0.37 1.0.38 1.0.39

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.339333 vuldb.com: https://vuldb.com/?ctiid.339333 vuldb.com: https://vuldb.com/?submit.719826 github.com: https://github.com/WebAssembly/wabt/issues/2678 github.com: https://github.com/oneafter/1208/blob/main/af1 github.com: https://github.com/WebAssembly/wabt/

Credits

🔍 Oneafter (VulDB User)