Extism
Extism is an open-source framework (developed by Dylibso, founded 2022) that makes it easy for any application to embed a WebAssembly plugin system. It sits between the host application and a Wasm runtime, handling the boilerplate that every Wasm plugin host needs.
What problem it solves
Using a raw Wasm runtime (Wasmtime, Wazero, etc.) to run plugins requires writing significant glue code:
- Instantiate the Wasm module and manage its lifecycle
- Allocate and free memory inside the module’s linear memory
- Marshall data in/out (the module can only work with bytes in its own memory)
- Handle errors and timeouts
- Define and register host functions the plugin can call
Extism wraps all of this into a single Plugin.Call(funcName, input) -> output API. The host loads a .wasm file, calls a named function with input bytes, and gets output bytes back.
Architecture
+-----------------------------------------------+
| Host Application (Go, Rust, Python, etc.) |
| |
| Extism Host SDK |
| - Plugin.Call("my_func", input) -> output |
| - Manages memory allocation |
| - Marshalls data via shared memory |
| - Enforces allowedHosts, timeouts |
| |
| +-------------------------------------------+
| | Wasm Runtime (Wasmtime or Wazero) |
| | +---------------------------------------+|
| | | .wasm Plugin (built with PDK) ||
| | | - Reads input from Extism memory ||
| | | - Calls host functions if needed ||
| | | - Writes output to Extism memory ||
| | +---------------------------------------+|
| +-------------------------------------------+
+-----------------------------------------------+
Host SDKs and PDKs
Host SDKs (for the application embedding plugins): Go, Rust, Python, Ruby, JavaScript/Node.js, Java, .NET, C/C++, Elixir, PHP, OCaml, Haskell, Zig, and others.
PDKs — Plugin Development Kits (for writing plugins): Rust, Go (via TinyGo — a Go compiler targeting microcontrollers and Wasm), JavaScript, AssemblyScript, C, Zig, .NET, and others.
A plugin written in Rust with the Extism PDK can be loaded by a Go host using the Extism Host SDK. The plugin author and host author don’t need to share a language.
Security model
Extism provides built-in controls beyond the Wasm sandbox:
allowedHosts— restrict which HTTP endpoints the plugin can reach (default: none)- Memory limits — cap the number of linear memory pages
- Timeouts — kill execution after a deadline
- No filesystem access — unless explicitly granted by the host
These controls are what Helm 4 exposes in its plugin.yaml runtimeConfig section.
Notable users
- Helm 4 — Wasm plugin runtime (
extism/v1identifier). Uses Extism with Wazero. - Zellij — terminal multiplexer, uses Extism for its plugin system
- Grafana — exploring Extism for dashboard plugin sandboxing
See also
- WebAssembly — the underlying technology (sandbox model, WASI, runtimes)
- Helm and WebAssembly — how Helm 4 uses Extism for sandboxed plugins