A vulnerability was found in Huawei HarmonyOS 5.0.0. It has been declared as critical. This vulnerability affects an unknown code block of the component Arkweb v8 Module. The manipulation with an unknown input leads to a inconsistency between implementation and documented design vulnerability. The CWE definition for the vulnerability is CWE-1068. The implementation of the product is not consistent with the design as described within the relevant documentation. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Wasm exception capture vulnerability in the arkweb v8 module Impact: Successful exploitation of this vulnerability may cause the failure to capture specific Wasm exception types.

The advisory is shared for download at consumer.huawei.com. This vulnerability was named CVE-2025-48905 since 05/28/2025. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $5k-$25k (estimation calculated on 06/09/2025).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-17086). Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Smartphone Operating System

Vendor

• Huawei

Name

• HarmonyOS

Version

• 5.0.0

License

• commercial

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion