PYSEC-2023-191

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/vyper/PYSEC-2023-191.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2023-191

Aliases

Published

2023-09-27T15:19:00Z

Modified

2023-11-01T05:02:56.614099Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.3.4

Fixed

0.3.10

Affected versions

0.*

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10rc1

0.3.10rc2

0.3.10rc3

0.3.10rc4

0.3.10rc5