{"url":"http://public2.vulnerablecode.io/api/packages/66536?format=json","purl":"pkg:pypi/vyper@0.1.0b5","type":"pypi","namespace":"","name":"vyper","version":"0.1.0b5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41399?format=json","vulnerability_id":"VCID-16p5-vc4s-27aq","summary":"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to exploitations in contracts that use arrays within `_abi_decode`. This vulnerability affects 0.3.10 and earlier versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26149","reference_id":"","reference_type":"","scores":[{"value":"0.0059","scoring_system":"epss","scoring_elements":"0.69671","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0059","scoring_system":"epss","scoring_elements":"0.69761","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26149"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/pull/3925","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/3925"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4060","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/4060"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4091","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/4091"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4144","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/4144"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26149","reference_id":"CVE-2024-26149","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26149"},{"reference_url":"https://github.com/advisories/GHSA-9p8r-4xp4-gw5w","reference_id":"GHSA-9p8r-4xp4-gw5w","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9p8r-4xp4-gw5w"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w","reference_id":"GHSA-9p8r-4xp4-gw5w","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:58:20Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81718?format=json","purl":"pkg:pypi/vyper@0.4.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-26149","GHSA-9p8r-4xp4-gw5w","PYSEC-2024-164"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-16p5-vc4s-27aq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/147296?format=json","vulnerability_id":"VCID-1dy2-nw8w-f3fa","summary":"Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41052","reference_id":"","reference_type":"","scores":[{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.25205","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.25006","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41052"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41052","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41052"},{"reference_url":"https://github.com/vyperlang/vyper/pull/3583","reference_id":"3583","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T18:04:38Z/"}],"url":"https://github.com/vyperlang/vyper/pull/3583"},{"reference_url":"https://github.com/advisories/GHSA-4hg4-9mf5-wxxq","reference_id":"GHSA-4hg4-9mf5-wxxq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hg4-9mf5-wxxq"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq","reference_id":"GHSA-4hg4-9mf5-wxxq","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T18:04:38Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78007?format=json","purl":"pkg:pypi/vyper@0.3.10rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10rc1"}],"aliases":["CVE-2023-41052","GHSA-4hg4-9mf5-wxxq","PYSEC-2023-168"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1dy2-nw8w-f3fa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143101?format=json","vulnerability_id":"VCID-1fzv-ufja-zkbk","summary":"Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of type `for i in range(a, a + N)` as in loops of type `for i in range(start, stop)` and `for i in range(stop)`, the compiler is able to raise a `TypeMismatch` when trying to overflow the variable. The problem has been patched in version 0.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32058","reference_id":"","reference_type":"","scores":[{"value":"0.00468","scoring_system":"epss","scoring_elements":"0.64962","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00468","scoring_system":"epss","scoring_elements":"0.65062","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32058"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-78.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-78.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32058","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32058"},{"reference_url":"https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868","reference_id":"3de1415ee77a9244eb04bdb695e249d3ec9ed868","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:56:37Z/"}],"url":"https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868"},{"reference_url":"https://github.com/advisories/GHSA-6r8q-pfpv-7cgj","reference_id":"GHSA-6r8q-pfpv-7cgj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6r8q-pfpv-7cgj"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj","reference_id":"GHSA-6r8q-pfpv-7cgj","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:56:37Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30810?format=json","purl":"pkg:pypi/vyper@0.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8"}],"aliases":["CVE-2023-32058","GHSA-6r8q-pfpv-7cgj","PYSEC-2023-78"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1fzv-ufja-zkbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61849?format=json","vulnerability_id":"VCID-1qav-fvdc-37bh","summary":"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24561","reference_id":"","reference_type":"","scores":[{"value":"0.01192","scoring_system":"epss","scoring_elements":"0.79261","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01192","scoring_system":"epss","scoring_elements":"0.79326","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24561"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-149.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-149.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/issues/3756","reference_id":"3756","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-02-01T19:07:48Z/"}],"url":"https://github.com/vyperlang/vyper/issues/3756"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24561","reference_id":"CVE-2024-24561","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24561"},{"reference_url":"https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457","reference_id":"functions.py#L404-L457","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-02-01T19:07:48Z/"}],"url":"https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457"},{"reference_url":"https://github.com/advisories/GHSA-9x7f-gwxq-6f2c","reference_id":"GHSA-9x7f-gwxq-6f2c","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9x7f-gwxq-6f2c"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c","reference_id":"GHSA-9x7f-gwxq-6f2c","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-02-01T19:07:48Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81718?format=json","purl":"pkg:pypi/vyper@0.4.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-24561","GHSA-9x7f-gwxq-6f2c","PYSEC-2024-149"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1qav-fvdc-37bh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61861?format=json","vulnerability_id":"VCID-33m8-47bw-1ugj","summary":"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and returned by `extract32`. This vulnerability is fixed in 0.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24564","reference_id":"","reference_type":"","scores":[{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58957","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58845","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24564"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-205.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-205.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918"},{"reference_url":"https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922"},{"reference_url":"https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f","reference_id":"3d9c537142fb99b2672f21e2057f5f202cde194f","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T16:54:00Z/"}],"url":"https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24564","reference_id":"CVE-2024-24564","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24564"},{"reference_url":"https://github.com/advisories/GHSA-4hwq-4cpm-8vmx","reference_id":"GHSA-4hwq-4cpm-8vmx","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hwq-4cpm-8vmx"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx","reference_id":"GHSA-4hwq-4cpm-8vmx","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T16:54:00Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-24564","GHSA-4hwq-4cpm-8vmx","PYSEC-2024-205"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-33m8-47bw-1ugj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/130188?format=json","vulnerability_id":"VCID-6h37-axjk-nkd7","summary":"Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30837","reference_id":"","reference_type":"","scores":[{"value":"0.00249","scoring_system":"epss","scoring_elements":"0.48552","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00249","scoring_system":"epss","scoring_elements":"0.48415","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30837"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-76.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-76.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30837","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30837"},{"reference_url":"https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb","reference_id":"0bb7203b584e771b23536ba065a6efda457161bb","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T15:27:34Z/"}],"url":"https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb"},{"reference_url":"https://github.com/advisories/GHSA-mgv8-gggw-mrg6","reference_id":"GHSA-mgv8-gggw-mrg6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mgv8-gggw-mrg6"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6","reference_id":"GHSA-mgv8-gggw-mrg6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T15:27:34Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30810?format=json","purl":"pkg:pypi/vyper@0.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8"}],"aliases":["CVE-2023-30837","GHSA-mgv8-gggw-mrg6","PYSEC-2023-76"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6h37-axjk-nkd7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/173447?format=json","vulnerability_id":"VCID-7qjx-mfmt-mqa4","summary":"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns `bytes` generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun. Users are advised to upgrade. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24788","reference_id":"","reference_type":"","scores":[{"value":"0.00329","scoring_system":"epss","scoring_elements":"0.5633","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00329","scoring_system":"epss","scoring_elements":"0.5621","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24788"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-197.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-197.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b","reference_id":"049dbdc647b2ce838fae7c188e6bb09cf16e470b","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:18Z/"}],"url":"https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24788","reference_id":"CVE-2022-24788","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24788"},{"reference_url":"https://github.com/advisories/GHSA-4mrx-6fxm-8jpg","reference_id":"GHSA-4mrx-6fxm-8jpg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4mrx-6fxm-8jpg"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4mrx-6fxm-8jpg","reference_id":"GHSA-4mrx-6fxm-8jpg","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:18Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4mrx-6fxm-8jpg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20011?format=json","purl":"pkg:pypi/vyper@0.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-afxc-8na3-fbgf"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-uf4u-v1zu-cyha"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.2"}],"aliases":["CVE-2022-24788","GHSA-4mrx-6fxm-8jpg","PYSEC-2022-197"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7qjx-mfmt-mqa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/116956?format=json","vulnerability_id":"VCID-7z8b-9fnd-hfh7","summary":"vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. This issue has been addressed in version 0.4.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27105","reference_id":"","reference_type":"","scores":[{"value":"0.00326","scoring_system":"epss","scoring_elements":"0.56102","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00326","scoring_system":"epss","scoring_elements":"0.55982","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27105"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-31.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-31.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27105","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27105"},{"reference_url":"https://github.com/advisories/GHSA-4w26-8p97-f4jp","reference_id":"GHSA-4w26-8p97-f4jp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4w26-8p97-f4jp"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp","reference_id":"GHSA-4w26-8p97-f4jp","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:36:50Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86891?format=json","purl":"pkg:pypi/vyper@0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1"}],"aliases":["CVE-2025-27105","GHSA-4w26-8p97-f4jp","PYSEC-2025-31"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7z8b-9fnd-hfh7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61915?format=json","vulnerability_id":"VCID-8j58-b29e-4ubb","summary":"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24567","reference_id":"","reference_type":"","scores":[{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.49242","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.49104","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24567"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-151.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-151.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72"},{"reference_url":"https://github.com/vyperlang/vyper/pull/3755","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/3755"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24567","reference_id":"CVE-2024-24567","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24567"},{"reference_url":"https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100","reference_id":"functions.py#L1100","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T20:05:45Z/"}],"url":"https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100"},{"reference_url":"https://github.com/advisories/GHSA-x2c2-q32w-4w6m","reference_id":"GHSA-x2c2-q32w-4w6m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x2c2-q32w-4w6m"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m","reference_id":"GHSA-x2c2-q32w-4w6m","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T20:05:45Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81718?format=json","purl":"pkg:pypi/vyper@0.4.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-24567","GHSA-x2c2-q32w-4w6m","PYSEC-2024-151"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8j58-b29e-4ubb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/119415?format=json","vulnerability_id":"VCID-8qeq-6spq-kbch","summary":"Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b\"\"`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b\"\" if self.do_some_side_effect() else b\"\"`. The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-47285","reference_id":"","reference_type":"","scores":[{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34134","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34312","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-47285"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47285","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47285"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4644","reference_id":"4644","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:37:27Z/"}],"url":"https://github.com/vyperlang/vyper/pull/4644"},{"reference_url":"https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562","reference_id":"functions.py#L560-L562","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:37:27Z/"}],"url":"https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562"},{"reference_url":"https://github.com/advisories/GHSA-qhr6-mgqr-mchm","reference_id":"GHSA-qhr6-mgqr-mchm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qhr6-mgqr-mchm"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-qhr6-mgqr-mchm","reference_id":"GHSA-qhr6-mgqr-mchm","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:37:27Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-qhr6-mgqr-mchm"}],"fixed_packages":[],"aliases":["CVE-2025-47285","GHSA-qhr6-mgqr-mchm"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8qeq-6spq-kbch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/135453?format=json","vulnerability_id":"VCID-9gzc-rrfc-8ue9","summary":"Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. For `raw_call`, the argument buffer of the call can be corrupted, leading to incorrect `calldata` in the sub-context. For `create_from_blueprint` and `create_copy_of`, the buffer for the to-be-deployed bytecode can be corrupted, leading to deploying incorrect bytecode.\n\nEach builtin has conditions that must be fulfilled for the corruption to happen. For `raw_call`, the `data` argument of the builtin must be `msg.data` and the `value` or `gas` passed to the builtin must be some complex expression that results in writing to the memory. For `create_copy_of`, the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory. For `create_from_blueprint`, either no constructor parameters should be passed to the builtin or `raw_args` should be set to True, and the `value` or `salt` passed to the builtin must be some complex expression that results in writing to the memory.\n\nAs of time of publication, no patched version exists. The issue is still being investigated, and there might be other cases where the corruption might happen. When the builtin is being called from an `internal` function `F`, the issue is not present provided that the function calling `F` wrote to memory before calling `F`. As a workaround, the complex expressions that are being passed as kwargs to the builtin should be cached in memory prior to the call to the builtin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42443","reference_id":"","reference_type":"","scores":[{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45361","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.4551","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42443"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-306.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-306.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/commit/79303fc4fcba06994ee5c6a7baef57bdb185006c","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/commit/79303fc4fcba06994ee5c6a7baef57bdb185006c"},{"reference_url":"https://github.com/vyperlang/vyper/pull/3610","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/3610"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42443","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42443"},{"reference_url":"https://github.com/vyperlang/vyper/issues/3609","reference_id":"3609","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-24T18:49:35Z/"}],"url":"https://github.com/vyperlang/vyper/issues/3609"},{"reference_url":"https://github.com/advisories/GHSA-c647-pxm2-c52w","reference_id":"GHSA-c647-pxm2-c52w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c647-pxm2-c52w"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w","reference_id":"GHSA-c647-pxm2-c52w","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-24T18:49:35Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28456?format=json","purl":"pkg:pypi/vyper@0.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10"}],"aliases":["CVE-2023-42443","GHSA-c647-pxm2-c52w","PYSEC-2023-306"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9gzc-rrfc-8ue9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52834?format=json","vulnerability_id":"VCID-9n1v-uyy5-cfej","summary":"Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn't cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32649","reference_id":"","reference_type":"","scores":[{"value":"0.008","scoring_system":"epss","scoring_elements":"0.74551","published_at":"2026-06-12T12:55:00Z"},{"value":"0.008","scoring_system":"epss","scoring_elements":"0.74479","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32649"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-209.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-209.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/pull/2914","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/2914"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32649","reference_id":"CVE-2024-32649","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32649"},{"reference_url":"https://github.com/advisories/GHSA-5jrj-52x8-m64h","reference_id":"GHSA-5jrj-52x8-m64h","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5jrj-52x8-m64h"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h","reference_id":"GHSA-5jrj-52x8-m64h","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-29T12:16:42Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-32649","GHSA-5jrj-52x8-m64h","PYSEC-2024-209"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9n1v-uyy5-cfej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218208?format=json","vulnerability_id":"VCID-a95n-fkwj-8kba","summary":"Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41122","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42411","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42574","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41122"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-366.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-366.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/pull/2447","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/2447"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41122","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41122"},{"reference_url":"https://github.com/advisories/GHSA-c7pr-343r-5c46","reference_id":"GHSA-c7pr-343r-5c46","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c7pr-343r-5c46"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28455?format=json","purl":"pkg:pypi/vyper@0.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7qjx-mfmt-mqa4"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-pukh-3kf7-5kfx"},{"vulnerability":"VCID-q5sb-3att-17hy"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-uf4u-v1zu-cyha"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0"}],"aliases":["CVE-2021-41122","GHSA-c7pr-343r-5c46","PYSEC-2021-366"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a95n-fkwj-8kba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/119269?format=json","vulnerability_id":"VCID-ah7u-fmtc-6uew","summary":"Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `<address>.code`). The reason is that for these source locations, the check that `length >= 1` is skipped. The result is that a 0-length bytestring constructed with slice can be passed to `make_byte_array_copier`, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the `start` argument may be elided when the `length` argument is 0, e.g. `slice(msg.data, self.do_side_effect(), 0)`. The fix in pull request 4645 disallows any invocation of `slice()` with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-47774","reference_id":"","reference_type":"","scores":[{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44788","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44938","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-47774"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47774","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47774"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4645","reference_id":"4645","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:33:24Z/"}],"url":"https://github.com/vyperlang/vyper/pull/4645"},{"reference_url":"https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191","reference_id":"core.py#L189-L191","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:33:24Z/"}],"url":"https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191"},{"reference_url":"https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319","reference_id":"functions.py#L315-L319","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:33:24Z/"}],"url":"https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319"},{"reference_url":"https://github.com/advisories/GHSA-3vcg-j39x-cwfm","reference_id":"GHSA-3vcg-j39x-cwfm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3vcg-j39x-cwfm"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfm","reference_id":"GHSA-3vcg-j39x-cwfm","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:33:24Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfm"}],"fixed_packages":[],"aliases":["CVE-2025-47774","GHSA-3vcg-j39x-cwfm"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ah7u-fmtc-6uew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218369?format=json","vulnerability_id":"VCID-aw5a-xywg-4ydg","summary":"Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(type_.size_in_bytes / 32)`. The intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. Roughly speaking, if `type_.size_in_bytes` is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed by 1. If `type_.size_in_bytes` is slightly more than a power of 2, the calculation can underestimate how many slots are needed by 1. This issue is patched in version 0.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46247","reference_id":"","reference_type":"","scores":[{"value":"0.00336","scoring_system":"epss","scoring_elements":"0.56989","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00336","scoring_system":"epss","scoring_elements":"0.56869","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46247"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-307.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-307.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46247","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46247"},{"reference_url":"https://github.com/advisories/GHSA-6m97-7527-mh74","reference_id":"GHSA-6m97-7527-mh74","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6m97-7527-mh74"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30810?format=json","purl":"pkg:pypi/vyper@0.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8"}],"aliases":["CVE-2023-46247","GHSA-6m97-7527-mh74","PYSEC-2023-307"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aw5a-xywg-4ydg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61782?format=json","vulnerability_id":"VCID-ca5r-by1f-hffx","summary":"Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.  When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24560","reference_id":"","reference_type":"","scores":[{"value":"0.00915","scoring_system":"epss","scoring_elements":"0.76425","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00915","scoring_system":"epss","scoring_elements":"0.76355","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24560"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-148.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-148.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24560","reference_id":"CVE-2024-24560","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24560"},{"reference_url":"https://github.com/advisories/GHSA-gp3w-2v2m-p686","reference_id":"GHSA-gp3w-2v2m-p686","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp3w-2v2m-p686"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686","reference_id":"GHSA-gp3w-2v2m-p686","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-26T14:31:50Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81718?format=json","purl":"pkg:pypi/vyper@0.4.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-24560","GHSA-gp3w-2v2m-p686","PYSEC-2024-148"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ca5r-by1f-hffx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143658?format=json","vulnerability_id":"VCID-cr97-vtgx-5qa2","summary":"Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32059","reference_id":"","reference_type":"","scores":[{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.44102","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43947","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32059"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32059","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32059"},{"reference_url":"https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac","reference_id":"c3e68c302aa6e1429946473769dd1232145822ac","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:51:03Z/"}],"url":"https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"},{"reference_url":"https://github.com/advisories/GHSA-ph9x-4vc9-m39g","reference_id":"GHSA-ph9x-4vc9-m39g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ph9x-4vc9-m39g"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g","reference_id":"GHSA-ph9x-4vc9-m39g","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:51:03Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30810?format=json","purl":"pkg:pypi/vyper@0.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8"}],"aliases":["CVE-2023-32059","GHSA-ph9x-4vc9-m39g","PYSEC-2023-79"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cr97-vtgx-5qa2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61815?format=json","vulnerability_id":"VCID-ek9p-xvab-13ek","summary":"Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as an index for an array. The typechecker allows the usage of signed integers to be used as indexes to arrays. The vulnerability is present in different forms in all versions, including `0.3.10`. For ints, the 2's complement representation is used. Because the array was declared very large, the bounds checking will pass Negative values will simply be represented as very large numbers. As of time of publication, a fixed version does not exist.\n\nThere are three potential vulnerability classes: unpredictable behavior, accessing inaccessible elements and denial of service. Class 1: If it is possible to index an array with a negative integer without reverting, this is most likely not anticipated by the developer and such accesses can cause unpredictable behavior for the contract. Class 2: If a contract has an invariant in the form `assert index < x`, the developer will suppose that no elements on indexes `y | y >= x` are accessible. However, by using negative indexes, this can be bypassed. Class 3: If the index is dependent on the state of the contract, this poses a risk of denial of service. If the state of the contract can be manipulated in such way that the index will be forced to be negative, the array access can always revert (because most likely the array won't be declared extremely large). However, all these the scenarios are highly unlikely. Most likely behavior is a revert on the bounds check.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24563","reference_id":"","reference_type":"","scores":[{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.38029","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37852","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24563"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-150.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-150.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541","reference_id":"core.py#L534-L541","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-08T20:33:01Z/"}],"url":"https://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24563","reference_id":"CVE-2024-24563","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24563"},{"reference_url":"https://github.com/advisories/GHSA-52xq-j7v9-v4v2","reference_id":"GHSA-52xq-j7v9-v4v2","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-52xq-j7v9-v4v2"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2","reference_id":"GHSA-52xq-j7v9-v4v2","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-08T20:33:01Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2"},{"reference_url":"https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137","reference_id":"subscriptable.py#L127-L137","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-08T20:33:01Z/"}],"url":"https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81718?format=json","purl":"pkg:pypi/vyper@0.4.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-24563","GHSA-52xq-j7v9-v4v2","PYSEC-2024-150"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ek9p-xvab-13ek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53271?format=json","vulnerability_id":"VCID-eq36-zy9n-rqgc","summary":"Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32646","reference_id":"","reference_type":"","scores":[{"value":"0.00689","scoring_system":"epss","scoring_elements":"0.72326","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00689","scoring_system":"epss","scoring_elements":"0.72244","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32646"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-207.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-207.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/pull/2914","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/2914"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32646","reference_id":"CVE-2024-32646","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32646"},{"reference_url":"https://github.com/advisories/GHSA-r56x-j438-vw5m","reference_id":"GHSA-r56x-j438-vw5m","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r56x-j438-vw5m"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m","reference_id":"GHSA-r56x-j438-vw5m","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-30T16:05:58Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-32646","GHSA-r56x-j438-vw5m","PYSEC-2024-207"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eq36-zy9n-rqgc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53286?format=json","vulnerability_id":"VCID-fatn-6hfs-2yd6","summary":"Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32647","reference_id":"","reference_type":"","scores":[{"value":"0.0066","scoring_system":"epss","scoring_elements":"0.71663","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0066","scoring_system":"epss","scoring_elements":"0.71577","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32647"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-208.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-208.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32647","reference_id":"CVE-2024-32647","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32647"},{"reference_url":"https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847","reference_id":"functions.py#L1847","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-30T15:54:24Z/"}],"url":"https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847"},{"reference_url":"https://github.com/advisories/GHSA-3whq-64q2-qfj6","reference_id":"GHSA-3whq-64q2-qfj6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3whq-64q2-qfj6"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6","reference_id":"GHSA-3whq-64q2-qfj6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-30T15:54:24Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-32647","GHSA-3whq-64q2-qfj6","PYSEC-2024-208"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fatn-6hfs-2yd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/150568?format=json","vulnerability_id":"VCID-fjrc-wmx6-qqgj","summary":"Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40015","reference_id":"","reference_type":"","scores":[{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25809","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25611","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40015"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/issues/3604","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/issues/3604"},{"reference_url":"https://github.com/vyperlang/vyper/issues/4019","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/issues/4019"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4157","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/4157"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40015","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40015"},{"reference_url":"https://github.com/advisories/GHSA-g2xh-c426-v8mf","reference_id":"GHSA-g2xh-c426-v8mf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g2xh-c426-v8mf"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf","reference_id":"GHSA-g2xh-c426-v8mf","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T18:04:27Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78007?format=json","purl":"pkg:pypi/vyper@0.3.10rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10rc1"}],"aliases":["CVE-2023-40015","GHSA-g2xh-c426-v8mf","PYSEC-2023-167"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fjrc-wmx6-qqgj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/137077?format=json","vulnerability_id":"VCID-gkkz-1ayy-rudc","summary":"Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-31146","reference_id":"","reference_type":"","scores":[{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.55098","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54977","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-31146"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-77.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-77.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31146","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31146"},{"reference_url":"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb","reference_id":"4f8289a81206f767df1900ac48f485d90fc87edb","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:59:53Z/"}],"url":"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"},{"reference_url":"https://github.com/advisories/GHSA-3p37-3636-q8wv","reference_id":"GHSA-3p37-3636-q8wv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3p37-3636-q8wv"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv","reference_id":"GHSA-3p37-3636-q8wv","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-24T15:59:53Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30810?format=json","purl":"pkg:pypi/vyper@0.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8"}],"aliases":["CVE-2023-31146","GHSA-3p37-3636-q8wv","PYSEC-2023-77"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gkkz-1ayy-rudc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52876?format=json","vulnerability_id":"VCID-j2sf-e911-9qae","summary":"Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32645","reference_id":"","reference_type":"","scores":[{"value":"0.00689","scoring_system":"epss","scoring_elements":"0.72326","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00689","scoring_system":"epss","scoring_elements":"0.72244","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32645"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-206.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-206.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32645","reference_id":"CVE-2024-32645","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32645"},{"reference_url":"https://github.com/advisories/GHSA-xchq-w5r3-4wg3","reference_id":"GHSA-xchq-w5r3-4wg3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xchq-w5r3-4wg3"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3","reference_id":"GHSA-xchq-w5r3-4wg3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-03T17:10:02Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-32645","GHSA-xchq-w5r3-4wg3","PYSEC-2024-206"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j2sf-e911-9qae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204618?format=json","vulnerability_id":"VCID-jsx9-6mk7-qfa4","summary":"Vyper interfaces returning integer types less than 256 bits can be manipulated if uint256 is used","references":[{"reference_url":"https://github.com/advisories/GHSA-mr6r-mvw4-736g","reference_id":"GHSA-mr6r-mvw4-736g","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mr6r-mvw4-736g"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-mr6r-mvw4-736g","reference_id":"GHSA-mr6r-mvw4-736g","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-mr6r-mvw4-736g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66547?format=json","purl":"pkg:pypi/vyper@0.1.0b17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7qjx-mfmt-mqa4"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-a95n-fkwj-8kba"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-jy5d-868u-afbk"},{"vulnerability":"VCID-jzkq-43jx-83b5"},{"vulnerability":"VCID-pukh-3kf7-5kfx"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-rpx7-mr5e-ykbf"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-uf4u-v1zu-cyha"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-uxtx-tzxz-yuh9"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.1.0b17"}],"aliases":["GHSA-mr6r-mvw4-736g","GMS-2020-13"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jsx9-6mk7-qfa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61940?format=json","vulnerability_id":"VCID-jwnr-pngn-dkg3","summary":"Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot be triggered from regular vyper code). `sha3_64` is used for retrieval in mappings. No flow that would cache the `key` was found so the issue shouldn't be possible to trigger when compiling the compiler-generated `IR`. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24559","reference_id":"","reference_type":"","scores":[{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40662","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40494","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24559"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4063","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/4063"},{"reference_url":"https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586","reference_id":"compile_ir.py#L585-L586","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T17:47:59Z/"}],"url":"https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24559","reference_id":"CVE-2024-24559","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24559"},{"reference_url":"https://github.com/advisories/GHSA-6845-xw22-ffxv","reference_id":"GHSA-6845-xw22-ffxv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6845-xw22-ffxv"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv","reference_id":"GHSA-6845-xw22-ffxv","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T17:47:59Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81718?format=json","purl":"pkg:pypi/vyper@0.4.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-24559","GHSA-6845-xw22-ffxv","PYSEC-2024-147"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jwnr-pngn-dkg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218210?format=json","vulnerability_id":"VCID-jy5d-868u-afbk","summary":"Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack. This issue has been resolved in version 0.3.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41121","reference_id":"","reference_type":"","scores":[{"value":"0.00423","scoring_system":"epss","scoring_elements":"0.62565","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00423","scoring_system":"epss","scoring_elements":"0.62666","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41121"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-365.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2021-365.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/pull/2447","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/2447"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41121","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41121"},{"reference_url":"https://github.com/advisories/GHSA-xv8x-pr4h-73jv","reference_id":"GHSA-xv8x-pr4h-73jv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xv8x-pr4h-73jv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28455?format=json","purl":"pkg:pypi/vyper@0.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7qjx-mfmt-mqa4"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-pukh-3kf7-5kfx"},{"vulnerability":"VCID-q5sb-3att-17hy"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-uf4u-v1zu-cyha"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0"}],"aliases":["CVE-2021-41121","GHSA-xv8x-pr4h-73jv","PYSEC-2021-365"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jy5d-868u-afbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361144?format=json","vulnerability_id":"VCID-jzkq-43jx-83b5","summary":"VVE-2021-0001: Memory corruption using function calls within arrays\n### Impact\nWhen performing a function call inside an array, there is a memory corruption issue that occurs because of an incorrect pointer to the the tip of the stack.\n\n### Patches\nThis issue was partially fixed in [VVE-2020-0004](https://github.com/vyperlang/vyper/security/advisories/GHSA-2r3x-4mrv-mcxf), however the fix did not update similar code for arrays, which had a similar issue. The issue is fully fixed in https://github.com/vyperlang/vyper/pull/2345","references":[{"reference_url":"https://github.com/vyperlang/vyper/commit/11b7b5b7e59bc9dc859d51cd41a924b59fe47c9e","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/commit/11b7b5b7e59bc9dc859d51cd41a924b59fe47c9e"},{"reference_url":"https://github.com/vyperlang/vyper/pull/2345","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/2345"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-22wc-c9wj-6q2v","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-22wc-c9wj-6q2v"},{"reference_url":"https://pypi.org/project/vyper","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/vyper"},{"reference_url":"https://github.com/advisories/GHSA-22wc-c9wj-6q2v","reference_id":"GHSA-22wc-c9wj-6q2v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-22wc-c9wj-6q2v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66559?format=json","purl":"pkg:pypi/vyper@0.2.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7qjx-mfmt-mqa4"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-a95n-fkwj-8kba"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-jy5d-868u-afbk"},{"vulnerability":"VCID-pukh-3kf7-5kfx"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-rpx7-mr5e-ykbf"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-uf4u-v1zu-cyha"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.2.12"}],"aliases":["GHSA-22wc-c9wj-6q2v","GMS-2021-14"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jzkq-43jx-83b5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208925?format=json","vulnerability_id":"VCID-pukh-3kf7-5kfx","summary":"Integer bounds error in Vyper","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24845","reference_id":"","reference_type":"","scores":[{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.61038","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60932","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24845"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-198.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-198.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24845","reference_id":"CVE-2022-24845","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24845"},{"reference_url":"https://github.com/advisories/GHSA-j2x6-9323-fp7h","reference_id":"GHSA-j2x6-9323-fp7h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j2x6-9323-fp7h"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h","reference_id":"GHSA-j2x6-9323-fp7h","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20011?format=json","purl":"pkg:pypi/vyper@0.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-afxc-8na3-fbgf"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-uf4u-v1zu-cyha"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.2"}],"aliases":["CVE-2022-24845","GHSA-j2x6-9323-fp7h","PYSEC-2022-198"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pukh-3kf7-5kfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/117329?format=json","vulnerability_id":"VCID-qbn3-4wb4-tuep","summary":"vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27104","reference_id":"","reference_type":"","scores":[{"value":"0.00324","scoring_system":"epss","scoring_elements":"0.55982","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00324","scoring_system":"epss","scoring_elements":"0.55862","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27104"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-30.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-30.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27104","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27104"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4488","reference_id":"4488","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:35:33Z/"}],"url":"https://github.com/vyperlang/vyper/pull/4488"},{"reference_url":"https://github.com/advisories/GHSA-h33q-mhmp-8p67","reference_id":"GHSA-h33q-mhmp-8p67","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h33q-mhmp-8p67"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67","reference_id":"GHSA-h33q-mhmp-8p67","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:35:33Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86891?format=json","purl":"pkg:pypi/vyper@0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1"}],"aliases":["CVE-2025-27104","GHSA-h33q-mhmp-8p67","PYSEC-2025-30"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qbn3-4wb4-tuep"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143606?format=json","vulnerability_id":"VCID-rcah-rmj3-1uc3","summary":"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32675","reference_id":"","reference_type":"","scores":[{"value":"0.00249","scoring_system":"epss","scoring_elements":"0.48415","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00249","scoring_system":"epss","scoring_elements":"0.48552","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32675"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520."},{"reference_url":"https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32675","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32675"},{"reference_url":"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520","reference_id":"02339dfda0f3caabad142060d511d10bfe93c520","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T17:07:30Z/"}],"url":"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"},{"reference_url":"https://github.com/advisories/GHSA-vxmm-cwh2-q762","reference_id":"GHSA-vxmm-cwh2-q762","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vxmm-cwh2-q762"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762","reference_id":"GHSA-vxmm-cwh2-q762","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T17:07:30Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30810?format=json","purl":"pkg:pypi/vyper@0.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.8"}],"aliases":["CVE-2023-32675","GHSA-vxmm-cwh2-q762","PYSEC-2023-80"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rcah-rmj3-1uc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52805?format=json","vulnerability_id":"VCID-rpx7-mr5e-ykbf","summary":"Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32648","reference_id":"","reference_type":"","scores":[{"value":"0.00336","scoring_system":"epss","scoring_elements":"0.56992","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00336","scoring_system":"epss","scoring_elements":"0.56872","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32648"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-163.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-163.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/issues/2455","reference_id":"2455","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:30:39Z/"}],"url":"https://github.com/vyperlang/vyper/issues/2455"},{"reference_url":"https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177","reference_id":"93287e5ac184b53b395c907d40701f721daf8177","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:30:39Z/"}],"url":"https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32648","reference_id":"CVE-2024-32648","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32648"},{"reference_url":"https://github.com/advisories/GHSA-m2v9-w374-5hj9","reference_id":"GHSA-m2v9-w374-5hj9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m2v9-w374-5hj9"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9","reference_id":"GHSA-m2v9-w374-5hj9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:30:39Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28455?format=json","purl":"pkg:pypi/vyper@0.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7qjx-mfmt-mqa4"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-pukh-3kf7-5kfx"},{"vulnerability":"VCID-q5sb-3att-17hy"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-uf4u-v1zu-cyha"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.0"}],"aliases":["CVE-2024-32648","GHSA-m2v9-w374-5hj9","PYSEC-2024-163"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rpx7-mr5e-ykbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/138760?format=json","vulnerability_id":"VCID-sbmf-6kuf-2kfs","summary":"Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that the if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature. Version 0.3.10 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37902","reference_id":"","reference_type":"","scores":[{"value":"0.00097","scoring_system":"epss","scoring_elements":"0.26853","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00097","scoring_system":"epss","scoring_elements":"0.2665","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37902"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-133.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-133.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37902","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37902"},{"reference_url":"https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f","reference_id":"019a37ab98ff53f04fecfadf602b6cd5ac748f7f","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T18:58:38Z/"}],"url":"https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f"},{"reference_url":"https://github.com/advisories/GHSA-f5x6-7qgp-jhf3","reference_id":"GHSA-f5x6-7qgp-jhf3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f5x6-7qgp-jhf3"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3","reference_id":"GHSA-f5x6-7qgp-jhf3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T18:58:38Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77452?format=json","purl":"pkg:pypi/vyper@0.3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/28456?format=json","purl":"pkg:pypi/vyper@0.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.10"}],"aliases":["CVE-2023-37902","GHSA-f5x6-7qgp-jhf3","PYSEC-2023-133"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sbmf-6kuf-2kfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/169327?format=json","vulnerability_id":"VCID-uf4u-v1zu-cyha","summary":"Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29255","reference_id":"","reference_type":"","scores":[{"value":"0.003","scoring_system":"epss","scoring_elements":"0.539","published_at":"2026-06-12T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53774","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29255"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-43053.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-43053.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d","reference_id":"6b4d8ff185de071252feaa1c319712b2d6577f8d","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:56Z/"}],"url":"https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29255","reference_id":"CVE-2022-29255","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29255"},{"reference_url":"https://github.com/advisories/GHSA-4v9q-cgpw-cf38","reference_id":"GHSA-4v9q-cgpw-cf38","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4v9q-cgpw-cf38"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38","reference_id":"GHSA-4v9q-cgpw-cf38","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:56Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24445?format=json","purl":"pkg:pypi/vyper@0.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-2jz3-ddbn-qyc6"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-afxc-8na3-fbgf"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.3.4"}],"aliases":["CVE-2022-29255","GHSA-4v9q-cgpw-cf38","PYSEC-2022-43053"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uf4u-v1zu-cyha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101935?format=json","vulnerability_id":"VCID-usrs-w2cs-y7ax","summary":"vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This issue is being addressed and a fix is expected in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-26622","reference_id":"","reference_type":"","scores":[{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47772","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47632","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-26622"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-29.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-29.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26622","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26622"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4486","reference_id":"4486","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:34:07Z/"}],"url":"https://github.com/vyperlang/vyper/pull/4486"},{"reference_url":"https://github.com/advisories/GHSA-2p94-8669-xg86","reference_id":"GHSA-2p94-8669-xg86","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2p94-8669-xg86"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86","reference_id":"GHSA-2p94-8669-xg86","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-22T15:34:07Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86891?format=json","purl":"pkg:pypi/vyper@0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1"}],"aliases":["CVE-2025-26622","GHSA-2p94-8669-xg86","PYSEC-2025-29"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-usrs-w2cs-y7ax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361162?format=json","vulnerability_id":"VCID-uxtx-tzxz-yuh9","summary":"VVE-2021-0002: Incorrect `returndatasize` when using simple forwarder proxies deployed prior to EIP-1167 adoption\n## Background\n\n@tjayrush reported a data handling issue with certain Web3 libraries using Vyper-deploy forwarder proxy contracts using our Vyper's built-in `create_forwarder_to` function prior to our change to support EIP-1167 style forwarder proxies.\n\n### Impact\nIf you are an end user of a forwarder-style proxy deployed using Vyper's built-in `create_forwarder_to` function AND you have a function that returns >4096 bytes AND you do no return data sanitation on the value returned, you could potentially see a data corruption issue.\n\nOtherwise, if you are handling the result of a return call AND you expect a specific `RETURNDATASIZE` that is less than 4096 (such as `SafeERC20.safeTransfer`) then the call will fail that check.\n\n### Patches\nThe issue was patched when we upgraded to EIP-1167 style forwarder proxies in #2281.\n\n### Workarounds\nIf you are making a call to a contract method that is expected to return <= 4096 bytes, there is no issue as the ABI decoders in both Solidity and Vyper will truncate the data properly. Web3 libraries will also do this, unless you are doing `eth_call` or `eth_sendTransaction` directly.\n\nIf you are using a Solidity library that checks `RETURNDATASIZE` of an external call to a forwarder proxy deployed prior to this patch, it will fail on that assertion (such as `SafeERC20.safeTransfer`). The workaround is to always do a greater than or equal to check, rather than a strict equals to check.","references":[{"reference_url":"https://github.com/vyperlang/vyper/pull/2281","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/2281"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-375m-5fvv-xq23","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-375m-5fvv-xq23"},{"reference_url":"https://pypi.org/project/vyper","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/vyper"},{"reference_url":"https://pypi.org/project/vyper/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/vyper/"},{"reference_url":"https://github.com/advisories/GHSA-375m-5fvv-xq23","reference_id":"GHSA-375m-5fvv-xq23","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-375m-5fvv-xq23"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66556?format=json","purl":"pkg:pypi/vyper@0.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16p5-vc4s-27aq"},{"vulnerability":"VCID-1dy2-nw8w-f3fa"},{"vulnerability":"VCID-1fzv-ufja-zkbk"},{"vulnerability":"VCID-1qav-fvdc-37bh"},{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-5gfr-7g4h-kkdd"},{"vulnerability":"VCID-6h37-axjk-nkd7"},{"vulnerability":"VCID-7qjx-mfmt-mqa4"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8j58-b29e-4ubb"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9gzc-rrfc-8ue9"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-a95n-fkwj-8kba"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-aw5a-xywg-4ydg"},{"vulnerability":"VCID-ca5r-by1f-hffx"},{"vulnerability":"VCID-cr97-vtgx-5qa2"},{"vulnerability":"VCID-ek9p-xvab-13ek"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-fjrc-wmx6-qqgj"},{"vulnerability":"VCID-gkkz-1ayy-rudc"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-jwnr-pngn-dkg3"},{"vulnerability":"VCID-jy5d-868u-afbk"},{"vulnerability":"VCID-jzkq-43jx-83b5"},{"vulnerability":"VCID-pukh-3kf7-5kfx"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-rcah-rmj3-1uc3"},{"vulnerability":"VCID-rpx7-mr5e-ykbf"},{"vulnerability":"VCID-sbmf-6kuf-2kfs"},{"vulnerability":"VCID-uf4u-v1zu-cyha"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"},{"vulnerability":"VCID-zjz2-dn14-huag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.2.9"}],"aliases":["GHSA-375m-5fvv-xq23","GMS-2021-15"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uxtx-tzxz-yuh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109584?format=json","vulnerability_id":"VCID-ynxk-p4rx-j3fg","summary":"Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. None the less an advisory has been made out of an abundance of caution. There are no actions for users to take.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21607","reference_id":"","reference_type":"","scores":[{"value":"0.00776","scoring_system":"epss","scoring_elements":"0.7407","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00776","scoring_system":"epss","scoring_elements":"0.74143","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21607"},{"reference_url":"https://github.com/advisories/GHSA-vgf2-gvx8-xwc3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://github.com/advisories/GHSA-vgf2-gvx8-xwc3"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-33.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-33.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/commit/7136eab0a254aa2ff7ddca41cc05f2ee1fa99caf","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/commit/7136eab0a254aa2ff7ddca41cc05f2ee1fa99caf"},{"reference_url":"https://github.com/vyperlang/vyper/pull/4451","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper/pull/4451"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21607","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21607"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3","reference_id":"GHSA-vgf2-gvx8-xwc3","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:34:18Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86891?format=json","purl":"pkg:pypi/vyper@0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.1"}],"aliases":["CVE-2025-21607","GHSA-vgf2-gvx8-xwc3","PYSEC-2025-33"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ynxk-p4rx-j3fg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62458?format=json","vulnerability_id":"VCID-zjz2-dn14-huag","summary":"Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn't properly adhere to the API of copy functions (for `>=0.3.2` the `copy_bytes` function). A contract search was performed and no vulnerable contracts were found in production. The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing. However, certainly not all usages of concat will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don't occur. This issue has been addressed in 0.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22419","reference_id":"","reference_type":"","scores":[{"value":"0.00539","scoring_system":"epss","scoring_elements":"0.68114","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00539","scoring_system":"epss","scoring_elements":"0.68026","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22419"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-103.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-103.yaml"},{"reference_url":"https://github.com/vyperlang/vyper","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vyperlang/vyper"},{"reference_url":"https://github.com/vyperlang/vyper/issues/3737","reference_id":"3737","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:44Z/"}],"url":"https://github.com/vyperlang/vyper/issues/3737"},{"reference_url":"https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f","reference_id":"55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:44Z/"}],"url":"https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22419","reference_id":"CVE-2024-22419","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22419"},{"reference_url":"https://github.com/advisories/GHSA-2q8v-3gqq-4f8p","reference_id":"GHSA-2q8v-3gqq-4f8p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2q8v-3gqq-4f8p"},{"reference_url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p","reference_id":"GHSA-2q8v-3gqq-4f8p","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:44Z/"}],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81718?format=json","purl":"pkg:pypi/vyper@0.4.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33m8-47bw-1ugj"},{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-9n1v-uyy5-cfej"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-ckru-wcma-ffbt"},{"vulnerability":"VCID-eq36-zy9n-rqgc"},{"vulnerability":"VCID-fatn-6hfs-2yd6"},{"vulnerability":"VCID-j2sf-e911-9qae"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/28457?format=json","purl":"pkg:pypi/vyper@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7z8b-9fnd-hfh7"},{"vulnerability":"VCID-8qeq-6spq-kbch"},{"vulnerability":"VCID-ah7u-fmtc-6uew"},{"vulnerability":"VCID-qbn3-4wb4-tuep"},{"vulnerability":"VCID-usrs-w2cs-y7ax"},{"vulnerability":"VCID-ynxk-p4rx-j3fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.4.0"}],"aliases":["CVE-2024-22419","GHSA-2q8v-3gqq-4f8p","PYSEC-2024-103"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zjz2-dn14-huag"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vyper@0.1.0b5"}