GHSA-cx2q-hfxr-rj97

Suggest an improvement
Source
https://github.com/advisories/GHSA-cx2q-hfxr-rj97
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-cx2q-hfxr-rj97/GHSA-cx2q-hfxr-rj97.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cx2q-hfxr-rj97
Aliases
Related
Published
2023-09-26T19:34:53Z
Modified
2024-11-19T17:30:59.038174Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vyper's `_abi_decode` input not validated in complex expressions
Details

Impact

_abi_decode() does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked):

x: int128 = _abi_decode(slice(msg.data, 4, 32), int128)

however, the following example is not bounds checked

@external
def abi_decode(x: uint256) -> uint256:
    a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1
    return a  # abi_decode(256) returns: 257

the issue can be triggered by constructing an example where the output of _abi_decode is not internally passed to make_setter (an internal codegen routine) or other input validating routine.

Patches

https://github.com/vyperlang/vyper/pull/3626

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Database specific
{
    "nvd_published_at": "2023-09-27T15:19:32Z",
    "cwe_ids": [
        "CWE-682"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-26T19:34:53Z"
}
References

Affected packages

PyPI / vyper

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.3.4
Fixed
0.3.10

Affected versions

0.*

0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10rc1
0.3.10rc2
0.3.10rc3
0.3.10rc4
0.3.10rc5