Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🦀 crates.io

CVE-2023-30624

LOW

Wasmtime has Undefined Behavior in Rust runtime functions

Also known asGHSA-ch89-5g45-qwc7RUSTSEC-2023-0092
Published
Apr 27, 2023
Updated
Apr 10, 2026
Affected
3 pkgs
Patched
3 / 3
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk36th percentile+0.29%
0.00%0.32%0.63%0.95%0.1%0.4%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

3 pkgs affected
🦀wasmtime🦀wasmtime🦀wasmtime

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues.

The underlying problem is that Wasmtime's runtime state for an instance involves a Rust-defined structure called Instance which has a trailing VMContext structure after it. This VMContext structure has a runtime-defined layout that is unique per-module. This representation cannot be expressed with safe code in Rust so unsafe code is required to maintain this state. The code doing this, however, has methods which take &self as an argument but modify data in the VMContext part of the allocation. This means that pointers derived from &self are mutated. This is typically not allowed, except in the presence of UnsafeCell, in Rust. When compiled to LLVM these functions have noalias readonly parameters which means it's UB to write through the pointers.

Wasmtime's internal representation and management of VMContext has been updated to use &mut self methods where appropriate. Additionally verification tools for unsafe code in Rust, such as cargo miri, are planned to be executed on the main branch soon to fix any Rust-level issues that may be exploited in future compiler versions.

Precomplied binaries available for Wasmtime from GitHub releases have been compiled with at most LLVM 15 so are not known to be vulnerable. As mentioned above, however, it's still recommended to update.

Wasmtime version 6.0.2, 7.0.1, and 8.0.1 have been issued which contain the patch necessary to work correctly on LLVM 16 and have no known UB on LLVM 15 and earlier. If Wasmtime is compiled with Rust 1.69 and prior, which use LLVM 15, then there are no known issues. There is a theoretical possibility for undefined behavior to exploited, however, so it's recommended that users upgrade to a patched version of Wasmtime. Users using beta Rust (1.70 at this time) or nightly Rust (1.71 at this time) must update to a patched version to work correctly.

Affected Packages

3 total 3 fixed
EcosystemPackageVulnerable rangeFix
🦀crates.iowasmtimeall versions6.0.2
🦀crates.iowasmtime7.0.0&&< 7.0.17.0.1
🦀crates.iowasmtime8.0.0&&< 8.0.18.0.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wasmtime. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update wasmtime to 6.0.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms CVE-2023-30624 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether CVE-2023-30624 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to CVE-2023-30624. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable re
O3 Security · Impact-Aware SCA

Is CVE-2023-30624 in your dependencies?

O3 detects CVE-2023-30624 across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works