Improper Check or Handling of Exceptional Conditions Affecting vyper package, versions [0,]

Threat Intelligence

Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-VYPER-8623829
published15 Jan 2025
disclosed14 Jan 2025
creditHubert Ritzdorf

Report a new vulnerability Found a mistake?

Introduced: 14 Jan 2025

NewCVE-2025-21607 (opens in a new tab) CWE-703 (opens in a new tab)

How to fix?

There is no fixed version for vyper.

Overview

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions due to a failure to verify the success flag of calls to the precompiles EcRecover (0x1) and Identity (0x4). An attacker can exploit this by providing a specific amount of gas to intentionally make these calls fail while allowing the overall execution to continue.

References

GitHub Advisory

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None