Been running Wasmtime for over a year now for our code grading platform where students submit Python and Rust homework. Learned the hard way that running student code directly on the host is fucking insane - some genius kept submitting rm -rf / and wondering why their grade was zero.
So we compile everything to WebAssembly and sandbox it in Wasmtime. Version 37.0.0 came out a few weeks back and hasn't exploded yet, which puts it miles ahead of version 25.x. That release was a complete disaster - memory management would randomly shit the bed with SIGSEGV around every third module instantiation. Took them three point releases to fix that clusterfuck.
Built in Rust, so at least it won't segfault when some student tries to buffer overflow their homework assignment. That alone puts it ahead of the C++ alternatives like WAVM or Wasm3 I've wrestled with.
Performance Reality Check
You're looking at roughly 2x slowdown compared to native. For our grading system where student code runs for maybe 10 seconds max, the difference between 100ms and 200ms doesn't matter.
Startup time though? That's where this thing shines. Module instantiation hits under 1ms consistently. Meanwhile Docker containers are sitting there jerking off for 200ms minimum, even with every optimization trick in the book.
You get two compilation modes:
- JIT: Compiles on the fly, starts fast
- AOT: Pre-compiles everything, runs faster but takes longer to start
For our grading system, JIT works fine. For production services that run for hours, AOT makes more sense.
Security Without the Headaches
The security model is actually usable. WebAssembly code runs in a sandbox by default - it literally cannot access your filesystem, network, or anything else unless you explicitly grant capabilities through WASI.
No more "whoops, student code just nuked the entire filesystem" disasters. Been there, learned that lesson when I had to restore from backups at 2am because some kid thought system("rm -rf /") would be hilarious.
Capability-based security that actually works. You give a module read access to /tmp/homework/ and that's literally all it can touch. Try to read /etc/passwd? Get fucked with EACCESS. Try to write to /home? Nope. The runtime enforces this shit properly, not like Docker where you pray your apparmor profiles don't have holes.
Recent security issues have been handled transparently - they actually publish CVE details instead of the usual vendor silence. CVE-2025-53901 from July was a panic in the WASI preview1 adapter that would crash with thread 'main' panicked at 'called Option::unwrap() on a None value' when using fd_renumber. Fixed within days.
WASI: The Useful Parts
WASI (WebAssembly System Interface) lets WebAssembly code do normal program things like file I/O and network calls. Version preview2 is what you want to use now - preview1 is legacy and has those fd_renumber panics I mentioned.
The filesystem interface works well enough. Network support exists but expect limitations - HTTP clients work fine, raw sockets don't. Perfect for running web scrapers or API clients, useless for writing servers.
WebAssembly 3.0 dropped on September 17th with garbage collection support, which means languages like Java and C# can finally compile to efficient WebAssembly. Wasmtime already has experimental GC support if you enable the feature flag.
Fair warning: the documentation assumes you already understand WebAssembly concepts. If you're new to this, budget extra time for the learning curve or start with the WebAssembly book.