VDB
CVE-2025-14957
CVE-2025-14957
PUBLISHED
CVSS 4.800000190734863 MEDIUM
A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised to resolve this issue.
EPSS 0.02% · 4.9th percentile
Risk Scores
CVSS v4.0
4.800000190734863
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
EPSS Score
0.02%
4.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| WebAssembly | Binaryen | 125 |
| webassembly | binaryen | 0 |
Timeline
- Dec 19, 2025 CVE ID Reserved
- Dec 19, 2025 CVE Published
- Dec 20, 2025 EPSS Score
- Dec 24, 2025 EPSS Score
- Dec 28, 2025 EPSS Score
- Dec 31, 2025 EPSS Score
- Jan 4, 2026 EPSS Score
- Jan 8, 2026 EPSS Score
- Jan 12, 2026 EPSS Score
- Jan 16, 2026 EPSS Score
- Jan 19, 2026 EPSS Score
- Jan 23, 2026 EPSS Score
References
- https://vuldb.com/?submit.717317 advisory
- https://vuldb.com/?submit.717319 advisory
- VDB-337593 | WebAssembly Binaryen IRBuilder wasm-ir-builder.cpp makeLocalTee null pointer dereference vdb
- VDB-337593 | CTI Indicators (IOB, IOC, IOA) url
- https://github.com/WebAssembly/binaryen/issues/8090 issue
- https://github.com/WebAssembly/binaryen/pull/8099 issue
- https://github.com/oneafter/1204/blob/main/af1 exploit
- https://github.com/WebAssembly/binaryen/commit/6fb2b917a79578ab44cf3b900a6da4c27251e0d4 patch
- https://github.com/WebAssembly/binaryen/ url
- https://nvd.nist.gov/vuln/detail/CVE-2025-14957 advisory
- https://github.com/WebAssembly/binaryen url