Moderate severityNVD Advisory· Published Sep 26, 2023· Updated Sep 24, 2024
_abi_decode input not validated in complex expressions in Vyper
CVE-2023-42460
Description
Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | >= 0.3.4, < 0.3.10 | 0.3.10 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-cx2q-hfxr-rj97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-42460ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-191.yamlghsaWEB
- github.com/vyperlang/vyper/pull/3626ghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.