Wasmtime Denial-of-Service Vulnerability in WASI HTTP Fields Handling

A denial-of-service vulnerability has been identified in Wasmtime's WebAssembly runtime, specifically in versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0. The issue arises in Wasmtime's implementation of the 'wasi:http/types.fields' resource, which can panic when an excessive number of fields are added to the headers. This behavior is not gracefully handled, leading to potential crashes in applications that embed Wasmtime.

Impact

The vulnerability causes a panic in the WASI implementation, which is treated as a denial-of-service issue for embedders, causing the application to crash.

Reproduction

The vulnerability can be reproduced by creating a 'wasi:http/types.fields' instance and adding a large number of fields to it. This can be done by using the 'wasi:http' HTTP fields functions in a Wasmtime environment that does not have the resource limits configured.

Remediation

Users are advised to update to Wasmtime versions 24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0, which include the necessary fix. Embedders should also consider configuring the new resource limit options available in these versions to prevent similar issues.