VulnerableCode Package Details - pkg:pypi/vyper@0.4.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-sy1y-q8ym-f3ft Aliases: CVE-2023-40015 GHSA-g2xh-c426-v8mf PYSEC-2023-167	Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, \|, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-sy1y-q8ym-f3ft
Aliases:
CVE-2023-40015
GHSA-g2xh-c426-v8mf
PYSEC-2023-167

Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:45:41.083301+00:00	GitLab Importer	Affected by	VCID-sy1y-q8ym-f3ft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/vyper/CVE-2023-40015.yml	38.6.0

2026-06-02T04:45:41.083301+00:00

GitLab Importer

Affected by

VCID-sy1y-q8ym-f3ft

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/vyper/CVE-2023-40015.yml

38.6.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk