Medium severity5.3NVD Advisory· Published Sep 27, 2023· Updated Jun 17, 2026
CVE-2023-42460
CVE-2023-42460
Description
Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | >= 0.3.4, < 0.3.10 | 0.3.10 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/vyperlang/vyper/pull/3626nvdPatchWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97nvdExploitPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-cx2q-hfxr-rj97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-42460ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-191.yamlghsaWEB
News mentions
0No linked articles in our index yet.