HIGH 7.5

RUSTSEC-2026-0149

WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

Details

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph For more information see the GitHub-hosted security advisory.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / wasmtime-wasi

Introduced in: 0.0.0-0 Fixed in: 24.0.9

Upgrade wasmtime-wasi to 24.0.9 or newer (ecosystem crates.io).

References

https://crates.io/crates/wasmtime-wasi [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0149.html [ADVISORY]
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph [ADVISORY]