WebAssembly Security Research Highlights JIT Compiler Risks

The CISPA paper looked at how WebAssembly's "security through isolation" works in practice. Spoiler: it's more complicated than the marketing promised.

Side-Channel Attack Vectors

The main finding isn't a sandbox escape, but rather side-channel attacks through timing analysis. Basically, you can sometimes figure out what other WASM modules are doing by measuring how long certain operations take.

This happens because browsers share some JIT compilation resources between different WASM instances. If you're running untrusted WASM code alongside sensitive data processing, there might be information leakage through timing patterns.

Why This Matters for Production WASM

We're using WASM for our image processing pipeline and honestly hadn't thought much about isolation between different modules. Assumed the sandbox meant complete separation, but turns out shared compilation caches can leak timing information.

It's not catastrophic - no one's getting shell access or reading arbitrary memory. But if you're processing sensitive data in WASM, you probably want different instances to have better isolation than they currently do.

The paper suggests some mitigations around compilation strategies and resource allocation, but nothing's implemented in browsers yet.

What You Should Actually Do

This isn't a "patch immediately" situation since there's no active exploit. But it does change how you should think about WASM security if you're processing sensitive data.

For now, the best defense is isolating different WASM workloads. Don't run untrusted code in the same browser context as sensitive processing. Use separate tabs, workers, or ideally separate processes when possible.

The research paper recommends some browser-level fixes around compilation cache isolation, but those will take time to implement. Mozilla and Google both acknowledged the findings but haven't committed to specific timelines.

Really highlights that WASM's security model is more nuanced than "just sandbox everything." The execution environment is still shared in ways that can leak information, even when memory isolation works perfectly.

Forget the theoretical security model discussions. Here's what actually matters if you're running WebAssembly in production.

Immediate Actions

First, update everything. Chrome to 128.0.6613.119, Node.js to the latest patch versions. Don't wait for your regular update cycle - this is being actively exploited.

Second, audit your WASM dependencies. If you're loading third-party WebAssembly modules, especially from CDNs or user uploads, you're at higher risk. This vulnerability could let malicious WASM break out of the sandbox completely.

I spent yesterday going through every WASM library we use. Found a few that we load from external sources without any verification. Attack vectors we never considered because "WebAssembly is secure" or whatever.

The Broader Problem

This isn't just about one CVE. It's about the gap between WebAssembly's marketing and reality. Every presentation talks about "memory safety" and "sandboxing," but the implementations keep having these fundamental flaws.

V8 has had multiple WASM-related vulnerabilities over the past two years. Each time, the fix comes with the same promise that "this shouldn't happen again." Yet here we are.

The problem is complexity. V8's WASM implementation includes multiple JIT compilers, garbage collectors, and optimization passes. Any one of these can introduce type confusion bugs like CVE-2025-10585.

Defense in Depth

Don't rely solely on WebAssembly's security model. If you're running WASM in production:

• Isolate it in containers or separate processes
• Validate all inputs before passing them to WASM modules
• Monitor for unusual memory usage patterns
• Keep detailed logs of WASM module loading and execution

We're thinking about running our WASM workloads in isolated containers after all this shit. It's overhead, but probably better than getting pwned because we trusted the sandbox too much.

This CVE should be a wake-up call. WebAssembly is powerful, but it's not magic. The runtimes are complex software with bugs, just like everything else we depend on.