{"id":"CVE-2024-38358","summary":"Symlink bypasses filesystem sandbox in wasmer","details":"Wasmer is a web assembly (wasm) Runtime supporting WASIX, WASI and Emscripten. If the preopened directory has a symlink pointing outside, WASI programs can traverse the symlink and access host filesystem if the caller sets both `oflags::creat` and `rights::fd_write`. Programs can also crash the runtime by creating a symlink pointing outside with `path_symlink` and `path_open`ing the link. This issue has been addressed in commit `b9483d022` which has been included in release version 4.3.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-55f3-3qvg-8pv5"],"modified":"2026-05-18T12:03:09.600755481Z","published":"2024-06-19T19:55:26.111Z","related":["CGA-7633-ph58-765g"],"database_specific":{"cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38358.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38358.json"},{"type":"ADVISORY","url":"https://github.com/wasmerio/wasmer/security/advisories/GHSA-55f3-3qvg-8pv5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38358"},{"type":"FIX","url":"https://github.com/wasmerio/wasmer/commit/b9483d022c602b994103f78ecfe46f017f8ac662"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wasmerio/wasmer","events":[{"introduced":"0"},{"fixed":"fb9a04bb72d5203b3af4076122486f728fd710b2"}]}],"versions":["v4.3.1","v4.3.0","v4.3.0-beta.1","v4.3.0-alpha.1","wasmer-config-v0.1.0","v4.2.8","v4.2.7","v4.2.6","v4.2.5","v4.2.4","v4.2.3","v4.2.2","v4.2.1","v4.2.0","v4.1.2","v4.1.1","v4.1.0","v4.0.0","v4.0.0-beta.3","v4.0.0-beta.2","v4.0.0-beta.1","v4.0.0-alpha.1","v3.3.0","v3.2.1","v3.2.0","v3.2.0-beta.2","v3.2.0-beta.1","v3.1.0","v3.0.2","v3.2.0-alpha.1","v3.0.1","v3.0.0","v3.0.0-rc.4","v3.0.0-rc.3","v3.0.0-rc.2","v3.0.0-rc.1","3.0.0-beta.2","3.0.0-beta","3.0.0-alpha","2.3.0","2.2.0-rc2","2.2.1","2.1.1","2.2.0","2.2.0-rc1","2.1.0","2.0.0","2.0.0-rc2","2.0.0-rc1","1.0.2","1.0.1","1.0.0","1.0.0-rc1","1.0.0-beta2","1.0.0-beta1","1.0.0-alpha5","1.0.0-alpha3","1.0.0-alpha02.0","0.17.1","0.17.0","0.16.2","0.16.1","0.16.0","0.15.0","0.14.1","0.14.0","0.13.1","0.13.0","0.12.0","0.11.0","0.10.2","0.10.1","0.10.0","0.9.0","0.8.0","0.7.0","0.6.0","0.5.7","0.5.6","0.5.5","0.5.4","0.5.3","0.5.2","0.5.1","0.5.0","0.4.2","0.4.1","0.4.0","0.3.0","0.2.1","0.2.0","0.1.4","0.1.3","0.1.2","0.1.1","0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38358.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}