VYPR

apk package

chainguard/wasmcloud

pkg:apk/chainguard/wasmcloud

Vulnerabilities (35)

  • CVE-2026-25537Feb 4, 2026
    affected < 2.0.1-r0fixed 2.0.1-r0

    jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number)

  • CVE-2026-24116Jan 27, 2026
    affected < 2.0.1-r0fixed 2.0.1-r0

    Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signa

  • CVE-2025-64345LowNov 12, 2025
    affected < 1.9.1-r0fixed 1.9.1-r0

    Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the content

  • CVE-2025-58160LowAug 29, 2025
    affected < 1.9.0-r1fixed 1.9.0-r1

    tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i

  • CVE-2024-58262Jul 27, 2025
    affected < 1.1.0-r0fixed 1.1.0-r0

    The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.

  • CVE-2025-53901Jul 18, 2025
    affected < 1.9.1-r0fixed 1.9.1-r0

    Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_op

  • CVE-2024-12224May 30, 2025
    affected < 1.5.0-r0fixed 1.5.0-r0

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

  • CVE-2025-4574MedMay 13, 2025
    affected < 1.7.1-r2fixed 1.7.1-r2

    In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

  • CVE-2025-4432MedMay 9, 2025
    affected < 1.6.2-r1fixed 1.6.2-r1

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2024-51756LowNov 5, 2024
    affected < 1.4.0-r2fixed 1.4.0-r2

    The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a

  • CVE-2024-51745Nov 5, 2024
    affected < 1.4.0-r2fixed 1.4.0-r2

    Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su

  • CVE-2024-47813Oct 9, 2024
    affected < 1.3.0-r1fixed 1.3.0-r1

    Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi

  • CVE-2024-47763Oct 9, 2024
    affected < 1.3.0-r1fixed 1.3.0-r1

    Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or

  • CVE-2024-45311Sep 2, 2024
    affected < 1.2.1-r1fixed 1.2.1-r1

    Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to `accept()`, `retry()`, `refuse()`, or `ignore()` an `Incoming` connection. However, calling `retry()` on an unvalidated connection exp

  • CVE-2024-32650HigApr 19, 2024
    affected < 1.1.0-r0fixed 1.1.0-r0

    Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete

Page 2 of 2