Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/66534?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/66534?format=api", "purl": "pkg:pypi/vyper@0.1.0b3", "type": "pypi", "namespace": "", "name": "vyper", "version": "0.1.0b3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41399?format=api", "vulnerability_id": "VCID-16p5-vc4s-27aq", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to exploitations in contracts that use arrays within `_abi_decode`. This vulnerability affects 0.3.10 and earlier versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26149", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0059", "scoring_system": "epss", "scoring_elements": "0.69671", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0059", "scoring_system": "epss", "scoring_elements": "0.69772", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0059", "scoring_system": "epss", "scoring_elements": "0.69775", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0059", "scoring_system": "epss", "scoring_elements": "0.69761", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26149" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/3925", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/3925" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4060", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/4060" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4091", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/4091" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4144", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/4144" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26149", "reference_id": "CVE-2024-26149", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26149" }, { "reference_url": "https://github.com/advisories/GHSA-9p8r-4xp4-gw5w", "reference_id": "GHSA-9p8r-4xp4-gw5w", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9p8r-4xp4-gw5w" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w", "reference_id": "GHSA-9p8r-4xp4-gw5w", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:58:20Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81718?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-26149", "GHSA-9p8r-4xp4-gw5w", "PYSEC-2024-164" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-16p5-vc4s-27aq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/147296?format=api", "vulnerability_id": "VCID-1dy2-nw8w-f3fa", "summary": "Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41052", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.25205", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.2521", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.25224", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.25006", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41052" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41052", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41052" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/3583", "reference_id": "3583", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T18:04:38Z/" } ], "url": "https://github.com/vyperlang/vyper/pull/3583" }, { "reference_url": "https://github.com/advisories/GHSA-4hg4-9mf5-wxxq", "reference_id": "GHSA-4hg4-9mf5-wxxq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hg4-9mf5-wxxq" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "reference_id": "GHSA-4hg4-9mf5-wxxq", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T18:04:38Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78007?format=api", "purl": "pkg:pypi/vyper@0.3.10rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10rc1" } ], "aliases": [ "CVE-2023-41052", "GHSA-4hg4-9mf5-wxxq", "PYSEC-2023-168" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1dy2-nw8w-f3fa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143101?format=api", "vulnerability_id": "VCID-1fzv-ufja-zkbk", "summary": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of type `for i in range(a, a + N)` as in loops of type `for i in range(start, stop)` and `for i in range(stop)`, the compiler is able to raise a `TypeMismatch` when trying to overflow the variable. The problem has been patched in version 0.3.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32058", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00468", "scoring_system": "epss", "scoring_elements": "0.65062", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00468", "scoring_system": "epss", "scoring_elements": "0.65071", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00468", "scoring_system": "epss", "scoring_elements": "0.65073", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00468", "scoring_system": "epss", "scoring_elements": "0.64962", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32058" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-78.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-78.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32058", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32058" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868", "reference_id": "3de1415ee77a9244eb04bdb695e249d3ec9ed868", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:56:37Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868" }, { "reference_url": "https://github.com/advisories/GHSA-6r8q-pfpv-7cgj", "reference_id": "GHSA-6r8q-pfpv-7cgj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6r8q-pfpv-7cgj" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj", "reference_id": "GHSA-6r8q-pfpv-7cgj", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:56:37Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30810?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-32058", "GHSA-6r8q-pfpv-7cgj", "PYSEC-2023-78" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1fzv-ufja-zkbk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61849?format=api", "vulnerability_id": "VCID-1qav-fvdc-37bh", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24561", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01192", "scoring_system": "epss", "scoring_elements": "0.79339", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01192", "scoring_system": "epss", "scoring_elements": "0.79334", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01192", "scoring_system": "epss", "scoring_elements": "0.79326", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01192", "scoring_system": "epss", "scoring_elements": "0.79261", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24561" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-149.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-149.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/3756", "reference_id": "3756", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-02-01T19:07:48Z/" } ], "url": "https://github.com/vyperlang/vyper/issues/3756" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24561", "reference_id": "CVE-2024-24561", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24561" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457", "reference_id": "functions.py#L404-L457", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-02-01T19:07:48Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457" }, { "reference_url": "https://github.com/advisories/GHSA-9x7f-gwxq-6f2c", "reference_id": "GHSA-9x7f-gwxq-6f2c", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9x7f-gwxq-6f2c" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c", "reference_id": "GHSA-9x7f-gwxq-6f2c", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-02-01T19:07:48Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81718?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24561", "GHSA-9x7f-gwxq-6f2c", "PYSEC-2024-149" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1qav-fvdc-37bh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61861?format=api", "vulnerability_id": "VCID-33m8-47bw-1ugj", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and returned by `extract32`. This vulnerability is fixed in 0.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24564", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58845", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58958", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58968", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58957", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24564" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-205.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-205.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f", "reference_id": "3d9c537142fb99b2672f21e2057f5f202cde194f", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T16:54:00Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24564", "reference_id": "CVE-2024-24564", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24564" }, { "reference_url": "https://github.com/advisories/GHSA-4hwq-4cpm-8vmx", "reference_id": "GHSA-4hwq-4cpm-8vmx", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hwq-4cpm-8vmx" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx", "reference_id": "GHSA-4hwq-4cpm-8vmx", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T16:54:00Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24564", "GHSA-4hwq-4cpm-8vmx", "PYSEC-2024-205" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-33m8-47bw-1ugj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/130188?format=api", "vulnerability_id": "VCID-6h37-axjk-nkd7", "summary": "Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30837", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48552", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48557", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48415", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48571", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30837" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-76.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-76.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30837", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30837" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb", "reference_id": "0bb7203b584e771b23536ba065a6efda457161bb", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T15:27:34Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb" }, { "reference_url": "https://github.com/advisories/GHSA-mgv8-gggw-mrg6", "reference_id": "GHSA-mgv8-gggw-mrg6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mgv8-gggw-mrg6" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6", "reference_id": "GHSA-mgv8-gggw-mrg6", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T15:27:34Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30810?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-30837", "GHSA-mgv8-gggw-mrg6", "PYSEC-2023-76" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6h37-axjk-nkd7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/173447?format=api", "vulnerability_id": "VCID-7qjx-mfmt-mqa4", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns `bytes` generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun. Users are advised to upgrade. There are no known workarounds for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24788", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56345", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56334", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.5633", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.5621", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24788" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-197.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-197.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b", "reference_id": "049dbdc647b2ce838fae7c188e6bb09cf16e470b", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:18Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24788", "reference_id": "CVE-2022-24788", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24788" }, { "reference_url": "https://github.com/advisories/GHSA-4mrx-6fxm-8jpg", "reference_id": "GHSA-4mrx-6fxm-8jpg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4mrx-6fxm-8jpg" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4mrx-6fxm-8jpg", "reference_id": "GHSA-4mrx-6fxm-8jpg", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:18Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4mrx-6fxm-8jpg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20011?format=api", "purl": "pkg:pypi/vyper@0.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-afxc-8na3-fbgf" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-uf4u-v1zu-cyha" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.2" } ], "aliases": [ "CVE-2022-24788", "GHSA-4mrx-6fxm-8jpg", "PYSEC-2022-197" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7qjx-mfmt-mqa4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/116956?format=api", "vulnerability_id": "VCID-7z8b-9fnd-hfh7", "summary": "vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. This issue has been addressed in version 0.4.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27105", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00326", "scoring_system": "epss", "scoring_elements": "0.56102", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00326", "scoring_system": "epss", "scoring_elements": "0.56104", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00326", "scoring_system": "epss", "scoring_elements": "0.55982", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00326", "scoring_system": "epss", "scoring_elements": "0.56117", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27105" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-31.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-31.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27105", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27105" }, { "reference_url": "https://github.com/advisories/GHSA-4w26-8p97-f4jp", "reference_id": "GHSA-4w26-8p97-f4jp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4w26-8p97-f4jp" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp", "reference_id": "GHSA-4w26-8p97-f4jp", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:36:50Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86891?format=api", "purl": "pkg:pypi/vyper@0.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1" } ], "aliases": [ "CVE-2025-27105", "GHSA-4w26-8p97-f4jp", "PYSEC-2025-31" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7z8b-9fnd-hfh7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61915?format=api", "vulnerability_id": "VCID-8j58-b29e-4ubb", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24567", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49249", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49104", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49242", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49259", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24567" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-151.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-151.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/3755", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/3755" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24567", "reference_id": "CVE-2024-24567", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24567" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100", "reference_id": "functions.py#L1100", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T20:05:45Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100" }, { "reference_url": "https://github.com/advisories/GHSA-x2c2-q32w-4w6m", "reference_id": "GHSA-x2c2-q32w-4w6m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x2c2-q32w-4w6m" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m", "reference_id": "GHSA-x2c2-q32w-4w6m", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T20:05:45Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81718?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24567", "GHSA-x2c2-q32w-4w6m", "PYSEC-2024-151" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8j58-b29e-4ubb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/119415?format=api", "vulnerability_id": "VCID-8qeq-6spq-kbch", "summary": "Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b\"\"`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b\"\" if self.do_some_side_effect() else b\"\"`. The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47285", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34134", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34316", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34337", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34312", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47285" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47285", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47285" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4644", "reference_id": "4644", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:37:27Z/" } ], "url": "https://github.com/vyperlang/vyper/pull/4644" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562", "reference_id": "functions.py#L560-L562", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:37:27Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562" }, { "reference_url": "https://github.com/advisories/GHSA-qhr6-mgqr-mchm", "reference_id": "GHSA-qhr6-mgqr-mchm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qhr6-mgqr-mchm" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-qhr6-mgqr-mchm", "reference_id": "GHSA-qhr6-mgqr-mchm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:37:27Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-qhr6-mgqr-mchm" } ], "fixed_packages": [], "aliases": [ "CVE-2025-47285", "GHSA-qhr6-mgqr-mchm" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8qeq-6spq-kbch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/135453?format=api", "vulnerability_id": "VCID-9gzc-rrfc-8ue9", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. For `raw_call`, the argument buffer of the call can be corrupted, leading to incorrect `calldata` in the sub-context. For `create_from_blueprint` and `create_copy_of`, the buffer for the to-be-deployed bytecode can be corrupted, leading to deploying incorrect bytecode.\n\nEach builtin has conditions that must be fulfilled for the corruption to happen. For `raw_call`, the `data` argument of the builtin must be `msg.data` and the `value` or `gas` passed to the builtin must be some complex expression that results in writing to the memory. For `create_copy_of`, the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory. For `create_from_blueprint`, either no constructor parameters should be passed to the builtin or `raw_args` should be set to True, and the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory.\n\nAs of time of publication, no patched version exists. The issue is still being investigated, and there might be other cases where the corruption might happen. When the builtin is being called from an `internal` function `F`, the issue is not present provided that the function calling `F` wrote to memory before calling `F`. As a workaround, the complex expressions that are being passed as kwargs to the builtin should be cached in memory prior to the call to the builtin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42443", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00225", "scoring_system": "epss", "scoring_elements": "0.4551", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00225", "scoring_system": "epss", "scoring_elements": "0.45361", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.52029", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.52013", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42443" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-306.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-306.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/79303fc4fcba06994ee5c6a7baef57bdb185006c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/commit/79303fc4fcba06994ee5c6a7baef57bdb185006c" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/3610", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/3610" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42443", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42443" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/3609", "reference_id": "3609", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-24T18:49:35Z/" } ], "url": "https://github.com/vyperlang/vyper/issues/3609" }, { "reference_url": "https://github.com/advisories/GHSA-c647-pxm2-c52w", "reference_id": "GHSA-c647-pxm2-c52w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c647-pxm2-c52w" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w", "reference_id": "GHSA-c647-pxm2-c52w", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-24T18:49:35Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28456?format=api", "purl": "pkg:pypi/vyper@0.3.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10" } ], "aliases": [ "CVE-2023-42443", "GHSA-c647-pxm2-c52w", "PYSEC-2023-306" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9gzc-rrfc-8ue9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52834?format=api", "vulnerability_id": "VCID-9n1v-uyy5-cfej", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn't cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32649", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.008", "scoring_system": "epss", "scoring_elements": "0.74551", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.008", "scoring_system": "epss", "scoring_elements": "0.74563", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.008", "scoring_system": "epss", "scoring_elements": "0.74564", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.008", "scoring_system": "epss", "scoring_elements": "0.74479", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32649" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-209.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-209.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/2914", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/2914" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32649", "reference_id": "CVE-2024-32649", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32649" }, { "reference_url": "https://github.com/advisories/GHSA-5jrj-52x8-m64h", "reference_id": "GHSA-5jrj-52x8-m64h", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5jrj-52x8-m64h" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h", "reference_id": "GHSA-5jrj-52x8-m64h", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-29T12:16:42Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-32649", "GHSA-5jrj-52x8-m64h", "PYSEC-2024-209" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9n1v-uyy5-cfej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218208?format=api", "vulnerability_id": "VCID-a95n-fkwj-8kba", "summary": "Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41122", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42411", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42574", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42596", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42585", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41122" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-366.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-366.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/2447", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/2447" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41122", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41122" }, { "reference_url": "https://github.com/advisories/GHSA-c7pr-343r-5c46", "reference_id": "GHSA-c7pr-343r-5c46", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c7pr-343r-5c46" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28455?format=api", "purl": "pkg:pypi/vyper@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7qjx-mfmt-mqa4" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-pukh-3kf7-5kfx" }, { "vulnerability": "VCID-q5sb-3att-17hy" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-uf4u-v1zu-cyha" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0" } ], "aliases": [ "CVE-2021-41122", "GHSA-c7pr-343r-5c46", "PYSEC-2021-366" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a95n-fkwj-8kba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/119269?format=api", "vulnerability_id": "VCID-ah7u-fmtc-6uew", "summary": "Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `<address>.code`). The reason is that for these source locations, the check that `length >= 1` is skipped. The result is that a 0-length bytestring constructed with slice can be passed to `make_byte_array_copier`, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the `start` argument may be elided when the `length` argument is 0, e.g. `slice(msg.data, self.do_side_effect(), 0)`. The fix in pull request 4645 disallows any invocation of `slice()` with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47774", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44938", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44939", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44788", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44952", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47774" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47774", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47774" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4645", "reference_id": "4645", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:33:24Z/" } ], "url": "https://github.com/vyperlang/vyper/pull/4645" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191", "reference_id": "core.py#L189-L191", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:33:24Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319", "reference_id": "functions.py#L315-L319", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:33:24Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319" }, { "reference_url": "https://github.com/advisories/GHSA-3vcg-j39x-cwfm", "reference_id": "GHSA-3vcg-j39x-cwfm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3vcg-j39x-cwfm" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfm", "reference_id": "GHSA-3vcg-j39x-cwfm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:33:24Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfm" } ], "fixed_packages": [], "aliases": [ "CVE-2025-47774", "GHSA-3vcg-j39x-cwfm" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ah7u-fmtc-6uew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218369?format=api", "vulnerability_id": "VCID-aw5a-xywg-4ydg", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(type_.size_in_bytes / 32)`. The intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. Roughly speaking, if `type_.size_in_bytes` is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed by 1. If `type_.size_in_bytes` is slightly more than a power of 2, the calculation can underestimate how many slots are needed by 1. This issue is patched in version 0.3.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46247", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00336", "scoring_system": "epss", "scoring_elements": "0.57003", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00336", "scoring_system": "epss", "scoring_elements": "0.56994", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00336", "scoring_system": "epss", "scoring_elements": "0.56869", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00336", "scoring_system": "epss", "scoring_elements": "0.56989", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46247" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-307.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-307.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46247", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46247" }, { "reference_url": "https://github.com/advisories/GHSA-6m97-7527-mh74", "reference_id": "GHSA-6m97-7527-mh74", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6m97-7527-mh74" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30810?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-46247", "GHSA-6m97-7527-mh74", "PYSEC-2023-307" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aw5a-xywg-4ydg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61782?format=api", "vulnerability_id": "VCID-ca5r-by1f-hffx", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata. When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24560", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00915", "scoring_system": "epss", "scoring_elements": "0.76355", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00915", "scoring_system": "epss", "scoring_elements": "0.76435", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00915", "scoring_system": "epss", "scoring_elements": "0.7644", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00915", "scoring_system": "epss", "scoring_elements": "0.76425", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24560" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-148.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-148.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24560", "reference_id": "CVE-2024-24560", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24560" }, { "reference_url": "https://github.com/advisories/GHSA-gp3w-2v2m-p686", "reference_id": "GHSA-gp3w-2v2m-p686", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gp3w-2v2m-p686" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686", "reference_id": "GHSA-gp3w-2v2m-p686", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-26T14:31:50Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81718?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24560", "GHSA-gp3w-2v2m-p686", "PYSEC-2024-148" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ca5r-by1f-hffx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143658?format=api", "vulnerability_id": "VCID-cr97-vtgx-5qa2", "summary": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32059", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.4412", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.44108", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.43947", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.44102", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32059" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac", "reference_id": "c3e68c302aa6e1429946473769dd1232145822ac", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:51:03Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac" }, { "reference_url": "https://github.com/advisories/GHSA-ph9x-4vc9-m39g", "reference_id": "GHSA-ph9x-4vc9-m39g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ph9x-4vc9-m39g" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g", "reference_id": "GHSA-ph9x-4vc9-m39g", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:51:03Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30810?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-32059", "GHSA-ph9x-4vc9-m39g", "PYSEC-2023-79" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cr97-vtgx-5qa2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61815?format=api", "vulnerability_id": "VCID-ek9p-xvab-13ek", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as an index for an array. The typechecker allows the usage of signed integers to be used as indexes to arrays. The vulnerability is present in different forms in all versions, including `0.3.10`. For ints, the 2's complement representation is used. Because the array was declared very large, the bounds checking will pass Negative values will simply be represented as very large numbers. As of time of publication, a fixed version does not exist.\n\nThere are three potential vulnerability classes: unpredictable behavior, accessing inaccessible elements and denial of service. Class 1: If it is possible to index an array with a negative integer without reverting, this is most likely not anticipated by the developer and such accesses can cause unpredictable behavior for the contract. Class 2: If a contract has an invariant in the form `assert index < x`, the developer will suppose that no elements on indexes `y | y >= x` are accessible. However, by using negative indexes, this can be bypassed. Class 3: If the index is dependent on the state of the contract, this poses a risk of denial of service. If the state of the contract can be manipulated in such way that the index will be forced to be negative, the array access can always revert (because most likely the array won't be declared extremely large). However, all these the scenarios are highly unlikely. Most likely behavior is a revert on the bounds check.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24563", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.37852", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.38042", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.38054", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.38029", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24563" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-150.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-150.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541", "reference_id": "core.py#L534-L541", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-08T20:33:01Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24563", "reference_id": "CVE-2024-24563", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24563" }, { "reference_url": "https://github.com/advisories/GHSA-52xq-j7v9-v4v2", "reference_id": "GHSA-52xq-j7v9-v4v2", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-52xq-j7v9-v4v2" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2", "reference_id": "GHSA-52xq-j7v9-v4v2", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-08T20:33:01Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137", "reference_id": "subscriptable.py#L127-L137", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-08T20:33:01Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81718?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24563", "GHSA-52xq-j7v9-v4v2", "PYSEC-2024-150" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ek9p-xvab-13ek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53271?format=api", "vulnerability_id": "VCID-eq36-zy9n-rqgc", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32646", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72326", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72334", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.7234", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72244", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32646" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-207.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-207.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/2914", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/2914" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32646", "reference_id": "CVE-2024-32646", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32646" }, { "reference_url": "https://github.com/advisories/GHSA-r56x-j438-vw5m", "reference_id": "GHSA-r56x-j438-vw5m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r56x-j438-vw5m" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m", "reference_id": "GHSA-r56x-j438-vw5m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-30T16:05:58Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-32646", "GHSA-r56x-j438-vw5m", "PYSEC-2024-207" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eq36-zy9n-rqgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53286?format=api", "vulnerability_id": "VCID-fatn-6hfs-2yd6", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32647", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0066", "scoring_system": "epss", "scoring_elements": "0.71663", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0066", "scoring_system": "epss", "scoring_elements": "0.71674", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0066", "scoring_system": "epss", "scoring_elements": "0.71676", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0066", "scoring_system": "epss", "scoring_elements": "0.71577", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32647" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-208.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-208.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32647", "reference_id": "CVE-2024-32647", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32647" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847", "reference_id": "functions.py#L1847", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-30T15:54:24Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847" }, { "reference_url": "https://github.com/advisories/GHSA-3whq-64q2-qfj6", "reference_id": "GHSA-3whq-64q2-qfj6", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3whq-64q2-qfj6" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6", "reference_id": "GHSA-3whq-64q2-qfj6", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-30T15:54:24Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-32647", "GHSA-3whq-64q2-qfj6", "PYSEC-2024-208" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fatn-6hfs-2yd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/150568?format=api", "vulnerability_id": "VCID-fjrc-wmx6-qqgj", "summary": "Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40015", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25825", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25809", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25611", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40015" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/3604", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/issues/3604" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/4019", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/issues/4019" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4157", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/4157" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40015", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40015" }, { "reference_url": "https://github.com/advisories/GHSA-g2xh-c426-v8mf", "reference_id": "GHSA-g2xh-c426-v8mf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g2xh-c426-v8mf" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "reference_id": "GHSA-g2xh-c426-v8mf", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T18:04:27Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78007?format=api", "purl": "pkg:pypi/vyper@0.3.10rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10rc1" } ], "aliases": [ "CVE-2023-40015", "GHSA-g2xh-c426-v8mf", "PYSEC-2023-167" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fjrc-wmx6-qqgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/137077?format=api", "vulnerability_id": "VCID-gkkz-1ayy-rudc", "summary": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31146", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00314", "scoring_system": "epss", "scoring_elements": "0.54977", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00314", "scoring_system": "epss", "scoring_elements": "0.55101", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00314", "scoring_system": "epss", "scoring_elements": "0.55114", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00314", "scoring_system": "epss", "scoring_elements": "0.55098", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31146" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-77.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-77.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31146", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31146" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb", "reference_id": "4f8289a81206f767df1900ac48f485d90fc87edb", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:59:53Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb" }, { "reference_url": "https://github.com/advisories/GHSA-3p37-3636-q8wv", "reference_id": "GHSA-3p37-3636-q8wv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3p37-3636-q8wv" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv", "reference_id": "GHSA-3p37-3636-q8wv", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:59:53Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30810?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-31146", "GHSA-3p37-3636-q8wv", "PYSEC-2023-77" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gkkz-1ayy-rudc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52876?format=api", "vulnerability_id": "VCID-j2sf-e911-9qae", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32645", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72326", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72334", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.7234", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72244", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32645" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-206.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-206.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32645", "reference_id": "CVE-2024-32645", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32645" }, { "reference_url": "https://github.com/advisories/GHSA-xchq-w5r3-4wg3", "reference_id": "GHSA-xchq-w5r3-4wg3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xchq-w5r3-4wg3" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3", "reference_id": "GHSA-xchq-w5r3-4wg3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-03T17:10:02Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-32645", "GHSA-xchq-w5r3-4wg3", "PYSEC-2024-206" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j2sf-e911-9qae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/204618?format=api", "vulnerability_id": "VCID-jsx9-6mk7-qfa4", "summary": "Vyper interfaces returning integer types less than 256 bits can be manipulated if uint256 is used", "references": [ { "reference_url": "https://github.com/advisories/GHSA-mr6r-mvw4-736g", "reference_id": "GHSA-mr6r-mvw4-736g", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mr6r-mvw4-736g" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-mr6r-mvw4-736g", "reference_id": "GHSA-mr6r-mvw4-736g", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-mr6r-mvw4-736g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66547?format=api", "purl": "pkg:pypi/vyper@0.1.0b17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7qjx-mfmt-mqa4" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-a95n-fkwj-8kba" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-jy5d-868u-afbk" }, { "vulnerability": "VCID-jzkq-43jx-83b5" }, { "vulnerability": "VCID-pukh-3kf7-5kfx" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-rpx7-mr5e-ykbf" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-uf4u-v1zu-cyha" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-uxtx-tzxz-yuh9" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.1.0b17" } ], "aliases": [ "GHSA-mr6r-mvw4-736g", "GMS-2020-13" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jsx9-6mk7-qfa4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61940?format=api", "vulnerability_id": "VCID-jwnr-pngn-dkg3", "summary": "Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot be triggered from regular vyper code). `sha3_64` is used for retrieval in mappings. No flow that would cache the `key` was found so the issue shouldn't be possible to trigger when compiling the compiler-generated `IR`. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24559", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40671", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40494", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40662", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40685", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24559" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4063", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/4063" }, { "reference_url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586", "reference_id": "compile_ir.py#L585-L586", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T17:47:59Z/" } ], "url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24559", "reference_id": "CVE-2024-24559", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24559" }, { "reference_url": "https://github.com/advisories/GHSA-6845-xw22-ffxv", "reference_id": "GHSA-6845-xw22-ffxv", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6845-xw22-ffxv" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv", "reference_id": "GHSA-6845-xw22-ffxv", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T17:47:59Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81718?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-24559", "GHSA-6845-xw22-ffxv", "PYSEC-2024-147" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jwnr-pngn-dkg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218210?format=api", "vulnerability_id": "VCID-jy5d-868u-afbk", "summary": "Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack. This issue has been resolved in version 0.3.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41121", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00423", "scoring_system": "epss", "scoring_elements": "0.62565", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00423", "scoring_system": "epss", "scoring_elements": "0.62666", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00423", "scoring_system": "epss", "scoring_elements": "0.62678", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00423", "scoring_system": "epss", "scoring_elements": "0.62672", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41121" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-365.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-365.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/2447", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/2447" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41121", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41121" }, { "reference_url": "https://github.com/advisories/GHSA-xv8x-pr4h-73jv", "reference_id": "GHSA-xv8x-pr4h-73jv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xv8x-pr4h-73jv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28455?format=api", "purl": "pkg:pypi/vyper@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7qjx-mfmt-mqa4" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-pukh-3kf7-5kfx" }, { "vulnerability": "VCID-q5sb-3att-17hy" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-uf4u-v1zu-cyha" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0" } ], "aliases": [ "CVE-2021-41121", "GHSA-xv8x-pr4h-73jv", "PYSEC-2021-365" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jy5d-868u-afbk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/361144?format=api", "vulnerability_id": "VCID-jzkq-43jx-83b5", "summary": "VVE-2021-0001: Memory corruption using function calls within arrays\n### Impact\nWhen performing a function call inside an array, there is a memory corruption issue that occurs because of an incorrect pointer to the the tip of the stack.\n\n### Patches\nThis issue was partially fixed in [VVE-2020-0004](https://github.com/vyperlang/vyper/security/advisories/GHSA-2r3x-4mrv-mcxf), however the fix did not update similar code for arrays, which had a similar issue. The issue is fully fixed in https://github.com/vyperlang/vyper/pull/2345", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/commit/11b7b5b7e59bc9dc859d51cd41a924b59fe47c9e", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/commit/11b7b5b7e59bc9dc859d51cd41a924b59fe47c9e" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/2345", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/2345" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-22wc-c9wj-6q2v", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-22wc-c9wj-6q2v" }, { "reference_url": "https://pypi.org/project/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/vyper" }, { "reference_url": "https://github.com/advisories/GHSA-22wc-c9wj-6q2v", "reference_id": "GHSA-22wc-c9wj-6q2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-22wc-c9wj-6q2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66559?format=api", "purl": "pkg:pypi/vyper@0.2.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7qjx-mfmt-mqa4" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-a95n-fkwj-8kba" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-jy5d-868u-afbk" }, { "vulnerability": "VCID-pukh-3kf7-5kfx" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-rpx7-mr5e-ykbf" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-uf4u-v1zu-cyha" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.2.12" } ], "aliases": [ "GHSA-22wc-c9wj-6q2v", "GMS-2021-14" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jzkq-43jx-83b5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208925?format=api", "vulnerability_id": "VCID-pukh-3kf7-5kfx", "summary": "Integer bounds error in Vyper", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24845", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00397", "scoring_system": "epss", "scoring_elements": "0.61047", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00397", "scoring_system": "epss", "scoring_elements": "0.60932", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00397", "scoring_system": "epss", "scoring_elements": "0.61038", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00397", "scoring_system": "epss", "scoring_elements": "0.61045", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24845" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-198.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-198.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24845", "reference_id": "CVE-2022-24845", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24845" }, { "reference_url": "https://github.com/advisories/GHSA-j2x6-9323-fp7h", "reference_id": "GHSA-j2x6-9323-fp7h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j2x6-9323-fp7h" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h", "reference_id": "GHSA-j2x6-9323-fp7h", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20011?format=api", "purl": "pkg:pypi/vyper@0.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-afxc-8na3-fbgf" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-uf4u-v1zu-cyha" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.2" } ], "aliases": [ "CVE-2022-24845", "GHSA-j2x6-9323-fp7h", "PYSEC-2022-198" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pukh-3kf7-5kfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/117329?format=api", "vulnerability_id": "VCID-qbn3-4wb4-tuep", "summary": "vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27104", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00324", "scoring_system": "epss", "scoring_elements": "0.55862", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00324", "scoring_system": "epss", "scoring_elements": "0.55985", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00324", "scoring_system": "epss", "scoring_elements": "0.55982", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00324", "scoring_system": "epss", "scoring_elements": "0.55998", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27104" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-30.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-30.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27104", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27104" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4488", "reference_id": "4488", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:35:33Z/" } ], "url": "https://github.com/vyperlang/vyper/pull/4488" }, { "reference_url": "https://github.com/advisories/GHSA-h33q-mhmp-8p67", "reference_id": "GHSA-h33q-mhmp-8p67", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h33q-mhmp-8p67" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67", "reference_id": "GHSA-h33q-mhmp-8p67", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:35:33Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86891?format=api", "purl": "pkg:pypi/vyper@0.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1" } ], "aliases": [ "CVE-2025-27104", "GHSA-h33q-mhmp-8p67", "PYSEC-2025-30" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qbn3-4wb4-tuep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143606?format=api", "vulnerability_id": "VCID-rcah-rmj3-1uc3", "summary": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32675", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48571", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48557", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48552", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48415", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32675" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520." }, { "reference_url": "https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32675", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32675" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520", "reference_id": "02339dfda0f3caabad142060d511d10bfe93c520", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T17:07:30Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520" }, { "reference_url": "https://github.com/advisories/GHSA-vxmm-cwh2-q762", "reference_id": "GHSA-vxmm-cwh2-q762", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vxmm-cwh2-q762" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762", "reference_id": "GHSA-vxmm-cwh2-q762", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T17:07:30Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30810?format=api", "purl": "pkg:pypi/vyper@0.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8" } ], "aliases": [ "CVE-2023-32675", "GHSA-vxmm-cwh2-q762", "PYSEC-2023-80" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rcah-rmj3-1uc3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52805?format=api", "vulnerability_id": "VCID-rpx7-mr5e-ykbf", "summary": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32648", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00336", "scoring_system": "epss", "scoring_elements": "0.56872", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00336", "scoring_system": "epss", "scoring_elements": "0.56998", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00336", "scoring_system": "epss", "scoring_elements": "0.57007", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00336", "scoring_system": "epss", "scoring_elements": "0.56992", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32648" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-163.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-163.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/2455", "reference_id": "2455", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:30:39Z/" } ], "url": "https://github.com/vyperlang/vyper/issues/2455" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177", "reference_id": "93287e5ac184b53b395c907d40701f721daf8177", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:30:39Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32648", "reference_id": "CVE-2024-32648", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32648" }, { "reference_url": "https://github.com/advisories/GHSA-m2v9-w374-5hj9", "reference_id": "GHSA-m2v9-w374-5hj9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m2v9-w374-5hj9" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9", "reference_id": "GHSA-m2v9-w374-5hj9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:30:39Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28455?format=api", "purl": "pkg:pypi/vyper@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7qjx-mfmt-mqa4" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-pukh-3kf7-5kfx" }, { "vulnerability": "VCID-q5sb-3att-17hy" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-uf4u-v1zu-cyha" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0" } ], "aliases": [ "CVE-2024-32648", "GHSA-m2v9-w374-5hj9", "PYSEC-2024-163" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rpx7-mr5e-ykbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/138760?format=api", "vulnerability_id": "VCID-sbmf-6kuf-2kfs", "summary": "Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that the if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature. Version 0.3.10 contains a patch for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37902", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00097", "scoring_system": "epss", "scoring_elements": "0.26867", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00097", "scoring_system": "epss", "scoring_elements": "0.26851", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00097", "scoring_system": "epss", "scoring_elements": "0.2665", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00097", "scoring_system": "epss", "scoring_elements": "0.26853", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37902" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-133.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-133.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37902", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37902" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f", "reference_id": "019a37ab98ff53f04fecfadf602b6cd5ac748f7f", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T18:58:38Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f" }, { "reference_url": "https://github.com/advisories/GHSA-f5x6-7qgp-jhf3", "reference_id": "GHSA-f5x6-7qgp-jhf3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f5x6-7qgp-jhf3" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3", "reference_id": "GHSA-f5x6-7qgp-jhf3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T18:58:38Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77452?format=api", "purl": "pkg:pypi/vyper@0.3.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/28456?format=api", "purl": "pkg:pypi/vyper@0.3.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10" } ], "aliases": [ "CVE-2023-37902", "GHSA-f5x6-7qgp-jhf3", "PYSEC-2023-133" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sbmf-6kuf-2kfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/169327?format=api", "vulnerability_id": "VCID-uf4u-v1zu-cyha", "summary": "Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29255", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53774", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53903", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.539", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53917", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29255" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-43053.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-43053.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d", "reference_id": "6b4d8ff185de071252feaa1c319712b2d6577f8d", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:56Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29255", "reference_id": "CVE-2022-29255", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29255" }, { "reference_url": "https://github.com/advisories/GHSA-4v9q-cgpw-cf38", "reference_id": "GHSA-4v9q-cgpw-cf38", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4v9q-cgpw-cf38" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38", "reference_id": "GHSA-4v9q-cgpw-cf38", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:56Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/24445?format=api", "purl": "pkg:pypi/vyper@0.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-2jz3-ddbn-qyc6" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-afxc-8na3-fbgf" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.4" } ], "aliases": [ "CVE-2022-29255", "GHSA-4v9q-cgpw-cf38", "GMS-2022-1912", "PYSEC-2022-43053" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uf4u-v1zu-cyha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/101935?format=api", "vulnerability_id": "VCID-usrs-w2cs-y7ax", "summary": "vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This issue is being addressed and a fix is expected in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-26622", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47632", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47769", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47772", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47789", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-26622" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-29.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-29.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26622", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26622" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4486", "reference_id": "4486", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:34:07Z/" } ], "url": "https://github.com/vyperlang/vyper/pull/4486" }, { "reference_url": "https://github.com/advisories/GHSA-2p94-8669-xg86", "reference_id": "GHSA-2p94-8669-xg86", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2p94-8669-xg86" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86", "reference_id": "GHSA-2p94-8669-xg86", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:34:07Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86891?format=api", "purl": "pkg:pypi/vyper@0.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1" } ], "aliases": [ "CVE-2025-26622", "GHSA-2p94-8669-xg86", "PYSEC-2025-29" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-usrs-w2cs-y7ax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/361162?format=api", "vulnerability_id": "VCID-uxtx-tzxz-yuh9", "summary": "VVE-2021-0002: Incorrect `returndatasize` when using simple forwarder proxies deployed prior to EIP-1167 adoption\n## Background\n\n@tjayrush reported a data handling issue with certain Web3 libraries using Vyper-deploy forwarder proxy contracts using our Vyper's built-in `create_forwarder_to` function prior to our change to support EIP-1167 style forwarder proxies.\n\n### Impact\nIf you are an end user of a forwarder-style proxy deployed using Vyper's built-in `create_forwarder_to` function AND you have a function that returns >4096 bytes AND you do no return data sanitation on the value returned, you could potentially see a data corruption issue.\n\nOtherwise, if you are handling the result of a return call AND you expect a specific `RETURNDATASIZE` that is less than 4096 (such as `SafeERC20.safeTransfer`) then the call will fail that check.\n\n### Patches\nThe issue was patched when we upgraded to EIP-1167 style forwarder proxies in #2281.\n\n### Workarounds\nIf you are making a call to a contract method that is expected to return <= 4096 bytes, there is no issue as the ABI decoders in both Solidity and Vyper will truncate the data properly. Web3 libraries will also do this, unless you are doing `eth_call` or `eth_sendTransaction` directly.\n\nIf you are using a Solidity library that checks `RETURNDATASIZE` of an external call to a forwarder proxy deployed prior to this patch, it will fail on that assertion (such as `SafeERC20.safeTransfer`). The workaround is to always do a greater than or equal to check, rather than a strict equals to check.", "references": [ { "reference_url": "https://github.com/vyperlang/vyper/pull/2281", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/2281" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-375m-5fvv-xq23", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-375m-5fvv-xq23" }, { "reference_url": "https://pypi.org/project/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/vyper" }, { "reference_url": "https://pypi.org/project/vyper/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/vyper/" }, { "reference_url": "https://github.com/advisories/GHSA-375m-5fvv-xq23", "reference_id": "GHSA-375m-5fvv-xq23", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-375m-5fvv-xq23" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66556?format=api", "purl": "pkg:pypi/vyper@0.2.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-16p5-vc4s-27aq" }, { "vulnerability": "VCID-1dy2-nw8w-f3fa" }, { "vulnerability": "VCID-1fzv-ufja-zkbk" }, { "vulnerability": "VCID-1qav-fvdc-37bh" }, { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-5gfr-7g4h-kkdd" }, { "vulnerability": "VCID-6h37-axjk-nkd7" }, { "vulnerability": "VCID-7qjx-mfmt-mqa4" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8j58-b29e-4ubb" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9gzc-rrfc-8ue9" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-a95n-fkwj-8kba" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-aw5a-xywg-4ydg" }, { "vulnerability": "VCID-ca5r-by1f-hffx" }, { "vulnerability": "VCID-cr97-vtgx-5qa2" }, { "vulnerability": "VCID-ek9p-xvab-13ek" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-fjrc-wmx6-qqgj" }, { "vulnerability": "VCID-gkkz-1ayy-rudc" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-jwnr-pngn-dkg3" }, { "vulnerability": "VCID-jy5d-868u-afbk" }, { "vulnerability": "VCID-jzkq-43jx-83b5" }, { "vulnerability": "VCID-pukh-3kf7-5kfx" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-rcah-rmj3-1uc3" }, { "vulnerability": "VCID-rpx7-mr5e-ykbf" }, { "vulnerability": "VCID-sbmf-6kuf-2kfs" }, { "vulnerability": "VCID-uf4u-v1zu-cyha" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" }, { "vulnerability": "VCID-zjz2-dn14-huag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.2.9" } ], "aliases": [ "GHSA-375m-5fvv-xq23", "GMS-2021-15" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uxtx-tzxz-yuh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109584?format=api", "vulnerability_id": "VCID-ynxk-p4rx-j3fg", "summary": "Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. None the less an advisory has been made out of an abundance of caution. There are no actions for users to take.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21607", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00776", "scoring_system": "epss", "scoring_elements": "0.74157", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00776", "scoring_system": "epss", "scoring_elements": "0.74154", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00776", "scoring_system": "epss", "scoring_elements": "0.7407", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00776", "scoring_system": "epss", "scoring_elements": "0.74143", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21607" }, { "reference_url": "https://github.com/advisories/GHSA-vgf2-gvx8-xwc3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgf2-gvx8-xwc3" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-33.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-33.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/7136eab0a254aa2ff7ddca41cc05f2ee1fa99caf", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/commit/7136eab0a254aa2ff7ddca41cc05f2ee1fa99caf" }, { "reference_url": "https://github.com/vyperlang/vyper/pull/4451", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper/pull/4451" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21607", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21607" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3", "reference_id": "GHSA-vgf2-gvx8-xwc3", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:34:18Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86891?format=api", "purl": "pkg:pypi/vyper@0.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1" } ], "aliases": [ "CVE-2025-21607", "GHSA-vgf2-gvx8-xwc3", "PYSEC-2025-33" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ynxk-p4rx-j3fg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/62458?format=api", "vulnerability_id": "VCID-zjz2-dn14-huag", "summary": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn't properly adhere to the API of copy functions (for `>=0.3.2` the `copy_bytes` function). A contract search was performed and no vulnerable contracts were found in production. The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing. However, certainly not all usages of concat will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don't occur. This issue has been addressed in 0.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22419", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68126", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68123", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68026", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68114", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22419" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-103.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-103.yaml" }, { "reference_url": "https://github.com/vyperlang/vyper", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vyperlang/vyper" }, { "reference_url": "https://github.com/vyperlang/vyper/issues/3737", "reference_id": "3737", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:44Z/" } ], "url": "https://github.com/vyperlang/vyper/issues/3737" }, { "reference_url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f", "reference_id": "55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:44Z/" } ], "url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22419", "reference_id": "CVE-2024-22419", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22419" }, { "reference_url": "https://github.com/advisories/GHSA-2q8v-3gqq-4f8p", "reference_id": "GHSA-2q8v-3gqq-4f8p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2q8v-3gqq-4f8p" }, { "reference_url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p", "reference_id": "GHSA-2q8v-3gqq-4f8p", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:44Z/" } ], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81718?format=api", "purl": "pkg:pypi/vyper@0.4.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-33m8-47bw-1ugj" }, { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-9n1v-uyy5-cfej" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-ckru-wcma-ffbt" }, { "vulnerability": "VCID-eq36-zy9n-rqgc" }, { "vulnerability": "VCID-fatn-6hfs-2yd6" }, { "vulnerability": "VCID-j2sf-e911-9qae" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/28457?format=api", "purl": "pkg:pypi/vyper@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7z8b-9fnd-hfh7" }, { "vulnerability": "VCID-8qeq-6spq-kbch" }, { "vulnerability": "VCID-ah7u-fmtc-6uew" }, { "vulnerability": "VCID-qbn3-4wb4-tuep" }, { "vulnerability": "VCID-usrs-w2cs-y7ax" }, { "vulnerability": "VCID-ynxk-p4rx-j3fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0" } ], "aliases": [ "CVE-2024-22419", "GHSA-2q8v-3gqq-4f8p", "PYSEC-2024-103" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zjz2-dn14-huag" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.1.0b3" }