<p>Upgrade <code>vyper</code> to version 0.4.0 or higher.</p>

Improper Restriction of Operations within the Bounds of a Memory Buffer Affecting vyper package, versions [0, 0.4.0)

Threat Intelligence

Proof of concept

0.07% (31^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-VYPER-6226584
published 2 Feb 2024
disclosed 1 Feb 2024
credit Zach Obront

Report a new vulnerability Found a mistake?

Introduced: 1 Feb 2024

CVE-2024-24561 Open this link in a new tab CWE-119 Open this link in a new tab

How to fix?

Upgrade vyper to version 0.4.0 or higher.

Overview

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer via the slice function. An attacker can achieve out-of-bounds access to storage, memory or calldata addresses and potentially corrupt the length slot of the respective array by manipulating the start or length variables to overflow the bounds check.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High