Wasmtime GitHub notifications bot (Feb 24 2026 at 16:33): Wasmtime GitHub notifications bot (Feb 24 2026 at 16:33):alexcrichton opened PR #12647 from alexcrichton:back24 to bytecodealliance:release-24.0.0:
This commit contains merged backports for two security advisories in Wasmtime:
- GHSA-852m-cvvp-9p4w
- GHSA-243v-98vx-264h
This introduces new knobs to Wasmtime to limit the scope of resources that WASI implementations will allocate on behalf of guests. To preserve backwards-compatible behavior all knobs are set quite high (e.g. 2GiB). Embeddings can turn these knobs as appropriate to limit the amount of data the host will allocate for a guest. The following CLI knobs have been added:
-Smax-resources- limits the total component-model resources a guest can allocate in a table-Shostcall-fuel- a broad limit which enforces that at most this amount of data will be copied from the guest to the host in any one API call (e.g.stringvalues can't be too big,list<string>can't be quadratic, etc). This fuel is reset on each host function call.-Smax-random-size- the maximal size of the return value of theget-random-bytesandget-insecure-random-bytesWASI functions.-Smax-http-fields-size- a limit on the size ofwasi:httpfieldsvalues to avoid infinitely buffering data within the host.The
httpcrate has additionally been updated to avoid a panic when adding too many headers to afieldsobject.<!--
Please make sure you include the following information:
If this work has been discussed elsewhere, please include a link to that
conversation. If it was discussed in an issue, just mention "issue #...".Explain why this change is needed. If the details are in an issue already,
this can be brief.Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.htmlPlease ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:33):alexcrichton requested wasmtime-core-reviewers for a review on PR #12647.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:33):alexcrichton requested wasmtime-default-reviewers for a review on PR #12647.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:33):alexcrichton requested pchickey for a review on PR #12647.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:40):alexcrichton updated PR #12647.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:41):dicej submitted PR review.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:58):alexcrichton merged PR #12647.
Last updated: Mar 23 2026 at 16:19 UTC