Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34): Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton opened PR #12650 from alexcrichton:back41 to bytecodealliance:release-41.0.0:
This commit contains merged backports for three security advisories in Wasmtime:
- GHSA-852m-cvvp-9p4w
- GHSA-243v-98vx-264h
- GHSA-xjhv-v822-pf94
This introduces new knobs to Wasmtime to limit the scope of resources that WASI implementations will allocate on behalf of guests. To preserve backwards-compatible behavior all knobs are set quite high (e.g. 2GiB). Embeddings can turn these knobs as appropriate to limit the amount of data the host will allocate for a guest. The following CLI knobs have been added:
-Smax-resources- limits the total component-model resources a guest can allocate in a table-Shostcall-fuel- a broad limit which enforces that at most this amount of data will be copied from the guest to the host in any one API call (e.g.stringvalues can't be too big,list<string>can't be quadratic, etc). This fuel is reset on each host function call.-Smax-random-size- the maximal size of the return value of theget-random-bytesandget-insecure-random-bytesWASI functions.-Smax-http-fields-size- a limit on the size ofwasi:httpfieldsvalues to avoid infinitely buffering data within the host.The
httpcrate has additionally been updated to avoid a panic when adding too many headers to afieldsobject. Finally, a panic when dropping{Typed,}Func::call_asynchas been resolved when thecomponent-model-asyncfeature is enabled at compile time.<!--
Please make sure you include the following information:
If this work has been discussed elsewhere, please include a link to that
conversation. If it was discussed in an issue, just mention "issue #...".Explain why this change is needed. If the details are in an issue already,
this can be brief.Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.htmlPlease ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton requested wasmtime-wasi-reviewers for a review on PR #12650.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton requested dicej for a review on PR #12650.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton requested wasmtime-core-reviewers for a review on PR #12650.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton requested wasmtime-default-reviewers for a review on PR #12650.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:40):dicej submitted PR review.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:44):alexcrichton updated PR #12650.
Wasmtime GitHub notifications bot (Feb 24 2026 at 17:05):alexcrichton updated PR #12650.
Wasmtime GitHub notifications bot (Feb 24 2026 at 17:35):alexcrichton merged PR #12650.
Last updated: Mar 23 2026 at 16:19 UTC