alt Hacker News > the attacker can embed whatever WASM payload they want into the file since the file will be “opened” by “execute this offset into the file”.
WASM physically cannot interact with the underlying host or perform I/O -- you need a WASI environment for that.
Putting aside the WASM sandboxing (I’m not familiar enough with it to understand how sandboxing works) there’s a DoS vector at least. Even regexes have had many DoS issues, and I can’t imagine WASM being easier to sandbox for DoS risk.