Skip to content

[36.0.x] Backport fixes for security advisories#12648

Merged
alexcrichton merged 3 commits into
bytecodealliance:release-36.0.0from
alexcrichton:back36
Feb 24, 2026
Merged

[36.0.x] Backport fixes for security advisories#12648
alexcrichton merged 3 commits into
bytecodealliance:release-36.0.0from
alexcrichton:back36

Conversation

@alexcrichton

Copy link
Copy Markdown
Member

This commit contains merged backports for two security advisories in Wasmtime:

This introduces new knobs to Wasmtime to limit the scope of resources that WASI implementations will allocate on behalf of guests. To preserve backwards-compatible behavior all knobs are set quite high (e.g. 2GiB). Embeddings can turn these knobs as appropriate to limit the amount of data the host will allocate for a guest. The following CLI knobs have been added:

  • -Smax-resources - limits the total component-model resources a guest can allocate in a table
  • -Shostcall-fuel - a broad limit which enforces that at most this amount of data will be copied from the guest to the host in any one API call (e.g. string values can't be too big, list<string> can't be quadratic, etc). This fuel is reset on each host function call.
  • -Smax-random-size - the maximal size of the return value of the get-random-bytes and get-insecure-random-bytes WASI functions.
  • -Smax-http-fields-size - a limit on the size of wasi:http fields values to avoid infinitely buffering data within the host.

The http crate has additionally been updated to avoid a panic when adding too many headers to a fields object.

This commit contains merged backports for two security advisories in
Wasmtime:

* GHSA-852m-cvvp-9p4w
* GHSA-243v-98vx-264h

This introduces new knobs to Wasmtime to limit the scope of resources
that WASI implementations will allocate on behalf of guests. To preserve
backwards-compatible behavior all knobs are set quite high (e.g. 2GiB).
Embeddings can turn these knobs as appropriate to limit the amount of data the
host will allocate for a guest. The following CLI knobs have been added:

* `-Smax-resources` - limits the total component-model resources a guest
  can allocate in a table
* `-Shostcall-fuel` - a broad limit which enforces that at most this
  amount of data will be copied from the guest to the host in any one
  API call (e.g. `string` values can't be too big, `list<string>` can't
  be quadratic, etc). This fuel is reset on each host function call.
* `-Smax-random-size` - the maximal size of the return value of the
  `get-random-bytes` and `get-insecure-random-bytes` WASI functions.
* `-Smax-http-fields-size` - a limit on the size of `wasi:http` `fields`
  values to avoid infinitely buffering data within the host.

The `http` crate has additionally been updated to avoid a panic when
adding too many headers to a `fields` object.

Co-authored-by: Mark Bundschuh <mark@mbund.dev>
Co-authored-by: Pat Hickey <p.hickey@f5.com>
@alexcrichton alexcrichton requested review from a team as code owners February 24, 2026 16:33
@alexcrichton alexcrichton requested review from cfallin and removed request for a team February 24, 2026 16:33
* Run rustfmt
* Fix wasi-common build
* Fix vets with cargo-vet@0.10.0
@alexcrichton alexcrichton enabled auto-merge (squash) February 24, 2026 16:52
@alexcrichton alexcrichton merged commit 48b427b into bytecodealliance:release-36.0.0 Feb 24, 2026
167 checks passed
@alexcrichton alexcrichton deleted the back36 branch February 24, 2026 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants