{"id":"CVE-2019-7154","details":"The main function in tools/wasm2js.cpp in Binaryen 1.38.22 has a heap-based buffer overflow because Emscripten is misused, triggering an error in cashew::JSPrinter::printAst() in emscripten-optimizer/simple_ast.h. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by wasm2js.","modified":"2026-04-11T20:26:20.196555Z","published":"2019-01-29T00:29:00.627Z","references":[{"type":"FIX","url":"https://github.com/WebAssembly/binaryen/issues/1876"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/webassembly/binaryen","events":[{"introduced":"0"},{"fixed":"153ba18ba99dc4dcef29a61e1e586af3df8d921d"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"65"}],"cpe":"cpe:2.3:a:webassembly:binaryen:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["1.36.10","1.36.11","1.36.12","1.36.13","1.36.14","1.36.2","1.36.3","1.36.4","1.36.5","1.36.6","1.36.7","1.36.8","1.36.9","1.37.0","1.37.1","1.37.10","1.37.11","1.37.12","1.37.13","1.37.14","1.37.15","1.37.16","1.37.17","1.37.18","1.37.19","1.37.2","1.37.20","1.37.21","1.37.22","1.37.23","1.37.24","1.37.25","1.37.26","1.37.27","1.37.28","1.37.29","1.37.3","1.37.30","1.37.31","1.37.32","1.37.33","1.37.34","1.37.35","1.37.36","1.37.37","1.37.39","1.37.4","1.37.40","1.37.5","1.37.6","1.37.7","1.37.8","1.37.9","1.38.0","1.38.1","1.38.10","1.38.11","1.38.12","1.38.13","1.38.14","1.38.15","1.38.16","1.38.17","1.38.18","1.38.19","1.38.2","1.38.20","1.38.21","1.38.22","1.38.23","1.38.24","1.38.25","1.38.3","1.38.4","1.38.5","1.38.6","1.38.7","1.38.8","1.38.9","binary_0xb","version_1","version_10","version_11","version_12","version_13","version_14","version_15","version_16","version_17","version_18","version_19","version_2","version_20","version_21","version_22","version_23","version_24","version_25","version_26","version_27","version_28","version_29","version_3","version_30","version_31","version_32","version_33","version_34","version_35","version_36","version_37","version_38","version_39","version_4","version_40","version_41","version_42","version_43","version_44","version_45","version_46","version_47","version_48","version_49","version_5","version_50","version_51","version_52","version_53","version_54","version_55","version_56","version_57","version_58","version_59","version_6","version_60","version_61","version_62","version_63","version_64","version_7","version_8","version_9"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["22616790360282577033674605180077833219","191972970298653173444158597266287009694","14821571429962120343001262233210576335","151191529705392329886293484142824340752","185122690502798721846121553612976097687","53197629183357289701089927573176392278","324194258621610357039876706449906529187","288962724844564451928959159070423739797","119541822130047711562403959423585453020","196957992580538602360349810475843857508","266074370991696475216603390399545124213"]},"target":{"file":"src/tools/wasm-emscripten-finalize.cpp"},"signature_type":"Line","source":"https://github.com/webassembly/binaryen/commit/153ba18ba99dc4dcef29a61e1e586af3df8d921d","signature_version":"v1","id":"CVE-2019-7154-309327dc"},{"deprecated":false,"digest":{"function_hash":"114506349049517890130313607795175520772","length":466},"target":{"function":"AsmConstWalker::visitCall","file":"src/wasm/wasm-emscripten.cpp"},"signature_type":"Function","source":"https://github.com/webassembly/binaryen/commit/153ba18ba99dc4dcef29a61e1e586af3df8d921d","signature_version":"v1","id":"CVE-2019-7154-5c11ab82"},{"deprecated":false,"digest":{"function_hash":"138423354102750047574691565677008332270","length":5871},"target":{"function":"main","file":"src/tools/wasm-emscripten-finalize.cpp"},"signature_type":"Function","source":"https://github.com/webassembly/binaryen/commit/153ba18ba99dc4dcef29a61e1e586af3df8d921d","signature_version":"v1","id":"CVE-2019-7154-8fb37496"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["315711385697882142515874801209616814643","296156224043627193328400495169611395702","77499482424643067126151120578878875266","274324235565113840226923181117945430074","90088919803854712328793541726553905294","239511132063355793396937242033905988083","37757062407568417218192717800299663089","99495896202181285171447783518041064724","39719218561181330581269317214892922476","130840213018713389535742735768989788570","59454224216472073359920052981429413417","81681221918972354805958228841923233931","61967027930462198887128716957949142642","16540623721121067462332746169520368488","89218691273730261051480484430257932328","80088878758691338675558368774357100149","36203083223426206760729530190185201362","214050444586084780357169729595550129855","41674973558809398479455871761264659042","189369635161906183679516518282489184360","143351518440347716055171766304302159734","41776136258577880614344662206580082890","50217705517904600268041040273596962622","193172374485864913901209068670512605948","184066918667677860940062195156789695990","87407311439441835597684821978109907569","135947261108190545169005646228083740563","96562869205760499504990143647018032837","184528604685741297685066204159611654836","296700476545690631986867236150304976384","169728093976989309268302028951847201368","291789020970159672831707353184537475750","170228873566876733807541136341936756863","332714337655117707011562848579240136886","266592970334377096938786646358898995910","244907938788025967984980323528724878551"]},"target":{"file":"src/wasm/wasm-emscripten.cpp"},"signature_type":"Line","source":"https://github.com/webassembly/binaryen/commit/153ba18ba99dc4dcef29a61e1e586af3df8d921d","signature_version":"v1","id":"CVE-2019-7154-a1e1d720"}],"vanir_signatures_modified":"2026-04-11T20:26:20Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-7154.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}