Out-of-bounds Read Affecting vyper package, versions [0, 0.4.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-VYPER-6227506
  • published4 Feb 2024
  • disclosed2 Feb 2024
  • creditZach Obront

Introduced: 2 Feb 2024

CVE-2024-24560  (opens in a new tab)
CWE-125  (opens in a new tab)

How to fix?

Upgrade vyper to version 0.4.0 or higher.

Overview

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Read due to improper handling of external contract calls with overlapping input and return buffers. An attacker can cause the contract to overrun the returned data and read return data from the input buffer by supplying malformed return data that is not properly checked against the returned value's length.

CVSS Scores

version 3.1