Just saw the CVE draft. Wasmer 4.0's filesystem "sandbox" can be bypassed. The pre-opened directories feature is the culprit.

* They let you map host dirs into the guest.
* A crafted module can use `..` and symlink traversal to escape the intended subtree.
* This isn't a side-channel or a theoretical weakness. It's a basic path sanitization bug.

This is exactly what I mean about security theater. Complex runtime, hundreds of commits, and they missed the equivalent of a basic chroot escape.

Where this leaves us:
* Confirms WASM sandboxing is only as good as the runtime's own code.
* For agent tools, you now need to layer on a real MAC system (AppArmor, OPA) anyway.
* The capability model here was broken from the start.

So much for "lightweight isolation." If you're using this for anything untrusted, assume compromise.

- Frank