Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/23917?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/23917?format=api", "purl": "pkg:pypi/vyper@0.1.0b2", "type": "pypi", "namespace": "", "name": "vyper", "version": "0.1.0b2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.4.1", "latest_non_vulnerable_version": "0.4.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36974?format=api", "vulnerability_id": "VCID-1r9c-w5zc-6ker", "summary": "vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. This issue has been addressed in version 0.4.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44331?format=api", "purl": "pkg:pypi/vyper@0.4.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1" } ], "aliases": [ "CVE-2025-27105", "GHSA-4w26-8p97-f4jp", "PYSEC-2025-31" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1r9c-w5zc-6ker" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36498?format=api", "vulnerability_id": "VCID-27ed-mhnf-ykgz", "summary": "Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that the if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature. Version 0.3.10 contains a patch for this issue.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-133.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-133.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37902", "reference_id": "CVE-2023-37902", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37902" }, { "reference_url": "https://github.com/advisories/GHSA-f5x6-7qgp-jhf3", "reference_id": "GHSA-f5x6-7qgp-jhf3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f5x6-7qgp-jhf3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35067?format=api", "purl": "pkg:pypi/vyper@0.3.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/35879?format=api", "purl": "pkg:pypi/vyper@0.3.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10" } ], "aliases": [ "CVE-2023-37902", "GHSA-f5x6-7qgp-jhf3", "PYSEC-2023-133" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-27ed-mhnf-ykgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36437?format=api", "vulnerability_id": "VCID-297e-aexx-ykea", "summary": "Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-76.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-76.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30837", "reference_id": "CVE-2023-30837", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30837" }, { "reference_url": "https://github.com/advisories/GHSA-mgv8-gggw-mrg6", "reference_id": "GHSA-mgv8-gggw-mrg6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mgv8-gggw-mrg6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33500?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-30837", "GHSA-mgv8-gggw-mrg6", "PYSEC-2023-76" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-297e-aexx-ykea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36448?format=api", "vulnerability_id": "VCID-3f9m-vgt7-m7gg", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520." }, { "reference_url": "https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32675", "reference_id": "CVE-2023-32675", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32675" }, { "reference_url": "https://github.com/advisories/GHSA-vxmm-cwh2-q762", "reference_id": "GHSA-vxmm-cwh2-q762", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vxmm-cwh2-q762" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33500?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-32675", "GHSA-vxmm-cwh2-q762", "PYSEC-2023-80" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3f9m-vgt7-m7gg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35888?format=api", "vulnerability_id": "VCID-5kj5-vafy-83fg", "summary": "Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack. This issue has been resolved in version 0.3.0.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-365.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-365.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/2447", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/2447" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41121", "reference_id": "CVE-2021-41121", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41121" }, { "reference_url": "https://github.com/advisories/GHSA-xv8x-pr4h-73jv", "reference_id": "GHSA-xv8x-pr4h-73jv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xv8x-pr4h-73jv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23949?format=api", "purl": "pkg:pypi/vyper@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-297e-aexx-ykea" }, { "vulnerability": "VCID-3f9m-vgt7-m7gg" }, { "vulnerability": "VCID-5zbv-sgt1-y3be" }, { "vulnerability": "VCID-6u3h-yjk9-nbhx" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-8jrz-6s9h-4bfh" }, { "vulnerability": "VCID-8qex-3tef-skby" }, { "vulnerability": "VCID-a8ph-1jta-uka1" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-edbb-gb6x-7kby" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-mw5j-2jm9-j3dv" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-unvz-641j-6qat" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0" } ], "aliases": [ "CVE-2021-41121", "GHSA-xv8x-pr4h-73jv", "PYSEC-2021-365" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5kj5-vafy-83fg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36441?format=api", "vulnerability_id": "VCID-5zbv-sgt1-y3be", "summary": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-77.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-77.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31146", "reference_id": "CVE-2023-31146", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31146" }, { "reference_url": "https://github.com/advisories/GHSA-3p37-3636-q8wv", "reference_id": "GHSA-3p37-3636-q8wv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3p37-3636-q8wv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33500?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-31146", "GHSA-3p37-3636-q8wv", "PYSEC-2023-77" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5zbv-sgt1-y3be" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36076?format=api", "vulnerability_id": "VCID-6u3h-yjk9-nbhx", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with `\"\\x00\"` because there is no comparison of the length. A patch is available and expected to be part of the 0.3.2 release. There are currently no known workarounds.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-7vrm-3jc8-5wwm", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-7vrm-3jc8-5wwm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24787", "reference_id": "CVE-2022-24787", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24787" }, { "reference_url": "https://github.com/advisories/GHSA-7vrm-3jc8-5wwm", "reference_id": "GHSA-7vrm-3jc8-5wwm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7vrm-3jc8-5wwm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27456?format=api", "purl": "pkg:pypi/vyper@0.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-297e-aexx-ykea" }, { "vulnerability": "VCID-3f9m-vgt7-m7gg" }, { "vulnerability": "VCID-5zbv-sgt1-y3be" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-8qex-3tef-skby" }, { "vulnerability": "VCID-a8ph-1jta-uka1" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-edbb-gb6x-7kby" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-mw5j-2jm9-j3dv" }, { "vulnerability": "VCID-pvjj-s95r-u3f7" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.2" } ], "aliases": [ "CVE-2022-24787", "GHSA-7vrm-3jc8-5wwm", "GMS-2022-704", "PYSEC-2022-196" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6u3h-yjk9-nbhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36539?format=api", "vulnerability_id": "VCID-7nbf-6rd9-2uap", "summary": "Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/3583", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/pull/3583" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41052", "reference_id": "CVE-2023-41052", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41052" }, { "reference_url": "https://github.com/advisories/GHSA-4hg4-9mf5-wxxq", "reference_id": "GHSA-4hg4-9mf5-wxxq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4hg4-9mf5-wxxq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35619?format=api", "purl": "pkg:pypi/vyper@0.3.10rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10rc1" } ], "aliases": [ "CVE-2023-41052", "GHSA-4hg4-9mf5-wxxq", "PYSEC-2023-168" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7nbf-6rd9-2uap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36079?format=api", "vulnerability_id": "VCID-8jrz-6s9h-4bfh", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions. Users are advised to upgrade. There is no known workaround for this issue.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24845", "reference_id": "CVE-2022-24845", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24845" }, { "reference_url": "https://github.com/advisories/GHSA-j2x6-9323-fp7h", "reference_id": "GHSA-j2x6-9323-fp7h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j2x6-9323-fp7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27456?format=api", "purl": "pkg:pypi/vyper@0.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-297e-aexx-ykea" }, { "vulnerability": "VCID-3f9m-vgt7-m7gg" }, { "vulnerability": "VCID-5zbv-sgt1-y3be" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-8qex-3tef-skby" }, { "vulnerability": "VCID-a8ph-1jta-uka1" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-edbb-gb6x-7kby" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-mw5j-2jm9-j3dv" }, { "vulnerability": "VCID-pvjj-s95r-u3f7" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.2" } ], "aliases": [ "CVE-2022-24845", "GHSA-j2x6-9323-fp7h", "PYSEC-2022-198" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8jrz-6s9h-4bfh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36105?format=api", "vulnerability_id": "VCID-8qex-3tef-skby", "summary": "Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27894?format=api", "purl": "pkg:pypi/vyper@0.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-297e-aexx-ykea" }, { "vulnerability": "VCID-3f9m-vgt7-m7gg" }, { "vulnerability": "VCID-5zbv-sgt1-y3be" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-a8ph-1jta-uka1" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-edbb-gb6x-7kby" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-mw5j-2jm9-j3dv" }, { "vulnerability": "VCID-pvjj-s95r-u3f7" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.4" } ], "aliases": [ "CVE-2022-29255", "GHSA-4v9q-cgpw-cf38", "PYSEC-2022-43053" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8qex-3tef-skby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36443?format=api", "vulnerability_id": "VCID-a8ph-1jta-uka1", "summary": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059", "reference_id": "CVE-2023-32059", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059" }, { "reference_url": "https://github.com/advisories/GHSA-ph9x-4vc9-m39g", "reference_id": "GHSA-ph9x-4vc9-m39g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ph9x-4vc9-m39g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33500?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-32059", "GHSA-ph9x-4vc9-m39g", "PYSEC-2023-79" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8ph-1jta-uka1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36721?format=api", "vulnerability_id": "VCID-br4v-y1ka-wbh2", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as an index for an array. The typechecker allows the usage of signed integers to be used as indexes to arrays. The vulnerability is present in different forms in all versions, including `0.3.10`. For ints, the 2's complement representation is used. Because the array was declared very large, the bounds checking will pass Negative values will simply be represented as very large numbers. As of time of publication, a fixed version does not exist.\n\nThere are three potential vulnerability classes: unpredictable behavior, accessing inaccessible elements and denial of service. Class 1: If it is possible to index an array with a negative integer without reverting, this is most likely not anticipated by the developer and such accesses can cause unpredictable behavior for the contract. Class 2: If a contract has an invariant in the form `assert index < x`, the developer will suppose that no elements on indexes `y | y >= x` are accessible. However, by using negative indexes, this can be bypassed. Class 3: If the index is dependent on the state of the contract, this poses a risk of denial of service. If the state of the contract can be manipulated in such way that the index will be forced to be negative, the array access can always revert (because most likely the array won't be declared extremely large). However, all these the scenarios are highly unlikely. Most likely behavior is a revert on the bounds check.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-150.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-150.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24563", "reference_id": "CVE-2024-24563", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24563" }, { "reference_url": "https://github.com/advisories/GHSA-52xq-j7v9-v4v2", "reference_id": "GHSA-52xq-j7v9-v4v2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-52xq-j7v9-v4v2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38752?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24563", "GHSA-52xq-j7v9-v4v2", "PYSEC-2024-150" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-br4v-y1ka-wbh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36713?format=api", "vulnerability_id": "VCID-c8rf-ec8a-gybs", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-149.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-149.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/3756", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/issues/3756" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24561", "reference_id": "CVE-2024-24561", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24561" }, { "reference_url": "https://github.com/advisories/GHSA-9x7f-gwxq-6f2c", "reference_id": "GHSA-9x7f-gwxq-6f2c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9x7f-gwxq-6f2c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38752?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24561", "GHSA-9x7f-gwxq-6f2c", "PYSEC-2024-149" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c8rf-ec8a-gybs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36685?format=api", "vulnerability_id": "VCID-cp7n-z6w9-k3bn", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn't properly adhere to the API of copy functions (for `>=0.3.2` the `copy_bytes` function). A contract search was performed and no vulnerable contracts were found in production. The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing. However, certainly not all usages of concat will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don't occur. This issue has been addressed in 0.4.0.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-103.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-103.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/3737", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/issues/3737" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22419", "reference_id": "CVE-2024-22419", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22419" }, { "reference_url": "https://github.com/advisories/GHSA-2q8v-3gqq-4f8p", "reference_id": "GHSA-2q8v-3gqq-4f8p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2q8v-3gqq-4f8p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38752?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-22419", "GHSA-2q8v-3gqq-4f8p", "PYSEC-2024-103" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cp7n-z6w9-k3bn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36975?format=api", "vulnerability_id": "VCID-djvb-mdjy-b7g5", "summary": "vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/pull/4488", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/4488" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44331?format=api", "purl": "pkg:pypi/vyper@0.4.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1" } ], "aliases": [ "CVE-2025-27104", "GHSA-h33q-mhmp-8p67", "PYSEC-2025-30" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-djvb-mdjy-b7g5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35886?format=api", "vulnerability_id": "VCID-dxtu-4t3b-7ub3", "summary": "Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-366.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-366.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/2447", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/2447" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41122", "reference_id": "CVE-2021-41122", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41122" }, { "reference_url": "https://github.com/advisories/GHSA-c7pr-343r-5c46", "reference_id": "GHSA-c7pr-343r-5c46", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c7pr-343r-5c46" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23949?format=api", "purl": "pkg:pypi/vyper@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-297e-aexx-ykea" }, { "vulnerability": "VCID-3f9m-vgt7-m7gg" }, { "vulnerability": "VCID-5zbv-sgt1-y3be" }, { "vulnerability": "VCID-6u3h-yjk9-nbhx" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-8jrz-6s9h-4bfh" }, { "vulnerability": "VCID-8qex-3tef-skby" }, { "vulnerability": "VCID-a8ph-1jta-uka1" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-edbb-gb6x-7kby" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-mw5j-2jm9-j3dv" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-unvz-641j-6qat" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0" } ], "aliases": [ "CVE-2021-41122", "GHSA-c7pr-343r-5c46", "PYSEC-2021-366" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dxtu-4t3b-7ub3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36442?format=api", "vulnerability_id": "VCID-edbb-gb6x-7kby", "summary": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of type `for i in range(a, a + N)` as in loops of type `for i in range(start, stop)` and `for i in range(stop)`, the compiler is able to raise a `TypeMismatch` when trying to overflow the variable. The problem has been patched in version 0.3.8.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-78.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-78.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32058", "reference_id": "CVE-2023-32058", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32058" }, { "reference_url": "https://github.com/advisories/GHSA-6r8q-pfpv-7cgj", "reference_id": "GHSA-6r8q-pfpv-7cgj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6r8q-pfpv-7cgj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33500?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-32058", "GHSA-6r8q-pfpv-7cgj", "PYSEC-2023-78" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-edbb-gb6x-7kby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36549?format=api", "vulnerability_id": "VCID-h6ck-r6j1-yuhp", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. For `raw_call`, the argument buffer of the call can be corrupted, leading to incorrect `calldata` in the sub-context. For `create_from_blueprint` and `create_copy_of`, the buffer for the to-be-deployed bytecode can be corrupted, leading to deploying incorrect bytecode.\n\nEach builtin has conditions that must be fulfilled for the corruption to happen. For `raw_call`, the `data` argument of the builtin must be `msg.data` and the `value` or `gas` passed to the builtin must be some complex expression that results in writing to the memory. For `create_copy_of`, the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory. For `create_from_blueprint`, either no constructor parameters should be passed to the builtin or `raw_args` should be set to True, and the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory.\n\nAs of time of publication, no patched version exists. The issue is still being investigated, and there might be other cases where the corruption might happen. When the builtin is being called from an `internal` function `F`, the issue is not present provided that the function calling `F` wrote to memory before calling `F`. As a workaround, the complex expressions that are being passed as kwargs to the builtin should be cached in memory prior to the call to the builtin.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-306.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-306.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/79303fc4fcba06994ee5c6a7baef57bdb185006c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/79303fc4fcba06994ee5c6a7baef57bdb185006c" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/3609", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/issues/3609" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/3610", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/3610" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42443", "reference_id": "CVE-2023-42443", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42443" }, { "reference_url": "https://github.com/advisories/GHSA-c647-pxm2-c52w", "reference_id": "GHSA-c647-pxm2-c52w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c647-pxm2-c52w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35879?format=api", "purl": "pkg:pypi/vyper@0.3.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10" } ], "aliases": [ "CVE-2023-42443", "GHSA-c647-pxm2-c52w", "PYSEC-2023-306" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h6ck-r6j1-yuhp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36957?format=api", "vulnerability_id": "VCID-m355-31jd-1kfq", "summary": "Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. None the less an advisory has been made out of an abundance of caution. There are no actions for users to take.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44331?format=api", "purl": "pkg:pypi/vyper@0.4.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1" } ], "aliases": [ "CVE-2025-21607", "PYSEC-2025-33" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m355-31jd-1kfq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36644?format=api", "vulnerability_id": "VCID-mw5j-2jm9-j3dv", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(type_.size_in_bytes / 32)`. The intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. Roughly speaking, if `type_.size_in_bytes` is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed by 1. If `type_.size_in_bytes` is slightly more than a power of 2, the calculation can underestimate how many slots are needed by 1. This issue is patched in version 0.3.8.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-307.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-307.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46247", "reference_id": "CVE-2023-46247", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46247" }, { "reference_url": "https://github.com/advisories/GHSA-6m97-7527-mh74", "reference_id": "GHSA-6m97-7527-mh74", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6m97-7527-mh74" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33500?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-46247", "GHSA-6m97-7527-mh74", "PYSEC-2023-307" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mw5j-2jm9-j3dv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36773?format=api", "vulnerability_id": "VCID-nub3-y13p-jbfb", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-163.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-163.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/2455", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/issues/2455" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32648", "reference_id": "CVE-2024-32648", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32648" }, { "reference_url": "https://github.com/advisories/GHSA-m2v9-w374-5hj9", "reference_id": "GHSA-m2v9-w374-5hj9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m2v9-w374-5hj9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23949?format=api", "purl": "pkg:pypi/vyper@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-297e-aexx-ykea" }, { "vulnerability": "VCID-3f9m-vgt7-m7gg" }, { "vulnerability": "VCID-5zbv-sgt1-y3be" }, { "vulnerability": "VCID-6u3h-yjk9-nbhx" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-8jrz-6s9h-4bfh" }, { "vulnerability": "VCID-8qex-3tef-skby" }, { "vulnerability": "VCID-a8ph-1jta-uka1" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-edbb-gb6x-7kby" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-mw5j-2jm9-j3dv" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-unvz-641j-6qat" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0" } ], "aliases": [ "CVE-2024-32648", "GHSA-m2v9-w374-5hj9", "PYSEC-2024-163" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nub3-y13p-jbfb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36771?format=api", "vulnerability_id": "VCID-qfyr-upmm-duea", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-206.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-206.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32645", "reference_id": "CVE-2024-32645", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32645" }, { "reference_url": "https://github.com/advisories/GHSA-xchq-w5r3-4wg3", "reference_id": "GHSA-xchq-w5r3-4wg3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xchq-w5r3-4wg3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-32645", "GHSA-xchq-w5r3-4wg3", "PYSEC-2024-206" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qfyr-upmm-duea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36740?format=api", "vulnerability_id": "VCID-shx9-8v43-9qem", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to exploitations in contracts that use arrays within `_abi_decode`. This vulnerability affects 0.3.10 and earlier versions.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/3925", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/3925" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4060", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/4060" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4091", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/4091" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4144", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/4144" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26149", "reference_id": "CVE-2024-26149", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26149" }, { "reference_url": "https://github.com/advisories/GHSA-9p8r-4xp4-gw5w", "reference_id": "GHSA-9p8r-4xp4-gw5w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9p8r-4xp4-gw5w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38752?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-26149", "GHSA-9p8r-4xp4-gw5w", "PYSEC-2024-164" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-shx9-8v43-9qem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36540?format=api", "vulnerability_id": "VCID-sy1y-q8ym-f3ft", "summary": "Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/3604", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/issues/3604" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/4019", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/issues/4019" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4157", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/4157" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40015", "reference_id": "CVE-2023-40015", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40015" }, { "reference_url": "https://github.com/advisories/GHSA-g2xh-c426-v8mf", "reference_id": "GHSA-g2xh-c426-v8mf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g2xh-c426-v8mf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35619?format=api", "purl": "pkg:pypi/vyper@0.3.10rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1q3x-5eug-afdg" }, { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-pcsz-xwb8-7yh4" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10rc1" } ], "aliases": [ "CVE-2023-40015", "GHSA-g2xh-c426-v8mf", "PYSEC-2023-167" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sy1y-q8ym-f3ft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36078?format=api", "vulnerability_id": "VCID-unvz-641j-6qat", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns `bytes` generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun. Users are advised to upgrade. There are no known workarounds for this issue.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-197.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-197.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4mrx-6fxm-8jpg", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4mrx-6fxm-8jpg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24788", "reference_id": "CVE-2022-24788", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24788" }, { "reference_url": "https://github.com/advisories/GHSA-4mrx-6fxm-8jpg", "reference_id": "GHSA-4mrx-6fxm-8jpg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4mrx-6fxm-8jpg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27456?format=api", "purl": "pkg:pypi/vyper@0.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-27ed-mhnf-ykgz" }, { "vulnerability": "VCID-297e-aexx-ykea" }, { "vulnerability": "VCID-3f9m-vgt7-m7gg" }, { "vulnerability": "VCID-5zbv-sgt1-y3be" }, { "vulnerability": "VCID-7nbf-6rd9-2uap" }, { "vulnerability": "VCID-8qex-3tef-skby" }, { "vulnerability": "VCID-a8ph-1jta-uka1" }, { "vulnerability": "VCID-br4v-y1ka-wbh2" }, { "vulnerability": "VCID-c8rf-ec8a-gybs" }, { "vulnerability": "VCID-cp7n-z6w9-k3bn" }, { "vulnerability": "VCID-cpb5-3f58-5ueb" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-edbb-gb6x-7kby" }, { "vulnerability": "VCID-h6ck-r6j1-yuhp" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-mw5j-2jm9-j3dv" }, { "vulnerability": "VCID-pvjj-s95r-u3f7" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-shx9-8v43-9qem" }, { "vulnerability": "VCID-sy1y-q8ym-f3ft" }, { "vulnerability": "VCID-vchm-6wyg-83hk" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-x6fh-e77r-pycx" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" }, { "vulnerability": "VCID-zsnu-88np-fyet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.2" } ], "aliases": [ "CVE-2022-24788", "GHSA-4mrx-6fxm-8jpg", "PYSEC-2022-197" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-unvz-641j-6qat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36710?format=api", "vulnerability_id": "VCID-vchm-6wyg-83hk", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-151.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-151.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/3755", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/3755" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24567", "reference_id": "CVE-2024-24567", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24567" }, { "reference_url": "https://github.com/advisories/GHSA-x2c2-q32w-4w6m", "reference_id": "GHSA-x2c2-q32w-4w6m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x2c2-q32w-4w6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38752?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24567", "GHSA-x2c2-q32w-4w6m", "PYSEC-2024-151" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vchm-6wyg-83hk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36770?format=api", "vulnerability_id": "VCID-vz6u-kbjy-hkfc", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-208.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-208.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32647", "reference_id": "CVE-2024-32647", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32647" }, { "reference_url": "https://github.com/advisories/GHSA-3whq-64q2-qfj6", "reference_id": "GHSA-3whq-64q2-qfj6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3whq-64q2-qfj6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-32647", "GHSA-3whq-64q2-qfj6", "PYSEC-2024-208" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vz6u-kbjy-hkfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36976?format=api", "vulnerability_id": "VCID-wc7x-rsqa-bkcm", "summary": "vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This issue is being addressed and a fix is expected in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/pull/4486", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/4486" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44331?format=api", "purl": "pkg:pypi/vyper@0.4.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1" } ], "aliases": [ "CVE-2025-26622", "GHSA-2p94-8669-xg86", "PYSEC-2025-29" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wc7x-rsqa-bkcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36741?format=api", "vulnerability_id": "VCID-wmen-dnf4-2kef", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and returned by `extract32`. This vulnerability is fixed in 0.4.0.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-205.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-205.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24564", "reference_id": "CVE-2024-24564", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24564" }, { "reference_url": "https://github.com/advisories/GHSA-4hwq-4cpm-8vmx", "reference_id": "GHSA-4hwq-4cpm-8vmx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4hwq-4cpm-8vmx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24564", "GHSA-4hwq-4cpm-8vmx", "PYSEC-2024-205" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wmen-dnf4-2kef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36774?format=api", "vulnerability_id": "VCID-x4dz-scmh-b7dj", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn't cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-32649", "PYSEC-2024-209" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x4dz-scmh-b7dj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36717?format=api", "vulnerability_id": "VCID-x6fh-e77r-pycx", "summary": "Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot be triggered from regular vyper code). `sha3_64` is used for retrieval in mappings. No flow that would cache the `key` was found so the issue shouldn't be possible to trigger when compiling the compiler-generated `IR`. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4063", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper/pull/4063" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24559", "reference_id": "CVE-2024-24559", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24559" }, { "reference_url": "https://github.com/advisories/GHSA-6845-xw22-ffxv", "reference_id": "GHSA-6845-xw22-ffxv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6845-xw22-ffxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38752?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24559", "GHSA-6845-xw22-ffxv", "PYSEC-2024-147" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x6fh-e77r-pycx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36772?format=api", "vulnerability_id": "VCID-zkhz-ckgg-hkat", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-32646", "PYSEC-2024-207" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zkhz-ckgg-hkat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36715?format=api", "vulnerability_id": "VCID-zsnu-88np-fyet", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata. When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-148.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-148.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24560", "reference_id": "CVE-2024-24560", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24560" }, { "reference_url": "https://github.com/advisories/GHSA-gp3w-2v2m-p686", "reference_id": "GHSA-gp3w-2v2m-p686", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gp3w-2v2m-p686" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38752?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-qfyr-upmm-duea" }, { "vulnerability": "VCID-vz6u-kbjy-hkfc" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" }, { "vulnerability": "VCID-wmen-dnf4-2kef" }, { "vulnerability": "VCID-x4dz-scmh-b7dj" }, { "vulnerability": "VCID-zkhz-ckgg-hkat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/40340?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r9c-w5zc-6ker" }, { "vulnerability": "VCID-djvb-mdjy-b7g5" }, { "vulnerability": "VCID-m355-31jd-1kfq" }, { "vulnerability": "VCID-wc7x-rsqa-bkcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24560", "GHSA-gp3w-2v2m-p686", "PYSEC-2024-148" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zsnu-88np-fyet" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.1.0b2" }