Improper Validation of Specified Quantity in Input Affecting vyper package, versions [0, 0.4.0)
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (19th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-VYPER-6228058
- published 5 Feb 2024
- disclosed 5 Feb 2024
- credit Unknown
Introduced: 5 Feb 2024
CVE-2024-24559 Open this link in a new tabHow to fix?
Upgrade vyper
to version 0.4.0 or higher.
Overview
vyper is a Pythonic Smart Contract Language for the EVM.
Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the form of an error in stack management when compiling the IR
for sha3_64
. The height
variable is miscalculated, which can lead to incorrect bytecode generation. An attacker can exploit this by manually writing the IR
and using the fang
binary directly to compile it.
References
CVSS Scores
version 3.1