Wasmtime WASI Host Interface Resource Exhaustion Vulnerability

A vulnerability exists in Wasmtime's implementation of WebAssembly System Interface (WASI) host interfaces, prior to versions 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0. The issue arises from a lack of proper limits on resource allocations requested by guest programs, allowing for guest-controlled resource exhaustion on the host. This vulnerability can be exploited to induce denial-of-service conditions, such as allocating excessive amounts of host memory, causing allocation failures that abort the process, degrading host performance by keeping too much memory alive, and in the case of Wasmtime 41.0.0-prior, causing panics from overlarge allocations.

Impact

Exploitation of this vulnerability leads to guest-controlled resource exhaustion on the host, causing various denial-of-service effects such as excessive memory allocation, allocation failures that abort the process, performance degradation, and in some cases, panics due to large allocations.

Reproduction

The vulnerability can be reproduced by creating a WebAssembly guest that allocates resources through the WASI host interfaces without any limits. This can be done by, for example, repeatedly requesting random bytes or copying large amounts of data to the host, which causes the host to perform memory-intensive operations.

Remediation

Upgrade to Wasmtime versions 24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0. After upgrading, configure the Wasmtime embedding to set appropriate limits on resource allocations and hostcall fuels to prevent potential resource exhaustion by guests.