Incorrect Comparison Affecting vyper package, versions [0,0.3.2)
Threat Intelligence
EPSS
0.06% (28th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-VYPER-2440813
- published 5 Apr 2022
- disclosed 5 Apr 2022
- credit Unknown
Introduced: 5 Apr 2022
CVE-2022-24787 Open this link in a new tabHow to fix?
Upgrade vyper
to version 0.3.2 or higher.
Overview
vyper is a Pythonic Smart Contract Language for the EVM.
Affected versions of this package are vulnerable to Incorrect Comparison where bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with "\x00"
because there is no comparison of the length.
References
CVSS Scores
version 3.1