Summary
runwasi's Wasmtime shim may deserialize attacker-supplied precompiled artifacts from OCI image layers, allowing code execution outside the WASI sandbox but within the workload container boundary.
Impact
Affected versions of runwasi may accept a Wasmtime precompiled artifact supplied directly as an OCI image layer when using the precompile-cache path. Precompiled artifacts are native-code cache entries and must only be loaded from a trusted local cache, not from untrusted image content.
An attacker who can cause a victim to run a crafted OCI image with containerd-shim-wasmtime-v1 can cause the shim to deserialize and execute attacker-controlled native code instead of compiling and validating WebAssembly. This bypasses the WASI/WebAssembly sandbox.
The executed code runs in the shim's "zygote" process inside the workload container.
This can allow escape from the wasm sandbox to the container boundary, including access available to that container such as its filesystem mounts, environment, credentials, pod/container networking and the native Linux syscall surface allowed to that container.
This does not by itself bypass container isolation or provide direct host-level code execution.
The issue also affects downstream shims built with runwasi's containerd-shim-wasm precompile-cache API if they implement Compiler and trust executable precompiled artifacts from OCI image layers.
Patches
Patched versions reject precompiled artifacts supplied directly by OCI image layers. Precompiled artifacts are only accepted when they originate from runwasi's local containerd precompile cache.
Users should upgrade to a patched release once available.
Workarounds
Do not run untrusted OCI images with containerd-shim-wasmtime-v1 on affected versions.
Summary
runwasi's Wasmtime shim may deserialize attacker-supplied precompiled artifacts from OCI image layers, allowing code execution outside the WASI sandbox but within the workload container boundary.
Impact
Affected versions of runwasi may accept a Wasmtime precompiled artifact supplied directly as an OCI image layer when using the precompile-cache path. Precompiled artifacts are native-code cache entries and must only be loaded from a trusted local cache, not from untrusted image content.
An attacker who can cause a victim to run a crafted OCI image with
containerd-shim-wasmtime-v1can cause the shim to deserialize and execute attacker-controlled native code instead of compiling and validating WebAssembly. This bypasses the WASI/WebAssembly sandbox.The executed code runs in the shim's "zygote" process inside the workload container.
This can allow escape from the wasm sandbox to the container boundary, including access available to that container such as its filesystem mounts, environment, credentials, pod/container networking and the native Linux syscall surface allowed to that container.
This does not by itself bypass container isolation or provide direct host-level code execution.
The issue also affects downstream shims built with runwasi's
containerd-shim-wasmprecompile-cache API if they implementCompilerand trust executable precompiled artifacts from OCI image layers.Patches
Patched versions reject precompiled artifacts supplied directly by OCI image layers. Precompiled artifacts are only accepted when they originate from runwasi's local containerd precompile cache.
Users should upgrade to a patched release once available.
Workarounds
Do not run untrusted OCI images with
containerd-shim-wasmtime-v1on affected versions.