Wasmtime GitHub notifications bot (Feb 25 2026 at 22:06): Wasmtime GitHub notifications bot (Feb 25 2026 at 22:06):alexcrichton opened issue #12674:
https://github.com/bytecodealliance/wasmtime/pull/12652 audited all of WASIp{1,2}, but given that WASIp3 is not covered by out security policy yet (it's off-by-default) it was not audited in the interest of time. We should, however, go through all of WASIp3's APIs and implementations to audit for any resource exhaustion vectors.
Wasmtime GitHub notifications bot (Feb 25 2026 at 22:06):alexcrichton added the wasm-proposal:component-model-async label to Issue #12674.
Wasmtime GitHub notifications bot (Feb 26 2026 at 18:05):dicej commented on issue #12674:
Is this a duplicate of #11552, or does this supersede that issue?
Wasmtime GitHub notifications bot (Feb 26 2026 at 21:38):alexcrichton commented on issue #12674:
Similar, but separate I think. I'll comment some more on that issue, but for example WASIp3's implementation of
get-random-bytesneeds some sort of limit in place. Additionally we should audit stream/future implementations to ensure a guest can't accidentally force a host to buffer huge amounts of memory (things like that). #11552 is still good to address, notably making the current limit added configurable.
Wasmtime GitHub notifications bot (Mar 12 2026 at 21:20):alexcrichton commented on issue #12674:
https://github.com/bytecodealliance/wasmtime/pull/12767 contains the last vector that I know of from reviewing code, so I've flagged that as closing this issue upon merging.
Wasmtime GitHub notifications bot (Mar 12 2026 at 22:19):alexcrichton closed issue #12674:
https://github.com/bytecodealliance/wasmtime/pull/12652 audited all of WASIp{1,2}, but given that WASIp3 is not covered by out security policy yet (it's off-by-default) it was not audited in the interest of time. We should, however, go through all of WASIp3's APIs and implementations to audit for any resource exhaustion vectors.
Last updated: Mar 23 2026 at 16:19 UTC