Vulnerabilities > CVE-2023-42460 - Unspecified vulnerability in Vyperlang Vyper

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

vyperlang

NVD

Published: 2023-09-27

Updated: 2024-11-21

Summary

Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release `0.3.10`. Users are advised to reference pull request #3626.

Vulnerable Configurations

Part	Description	Count
Application	Vyperlang Vyperlang Vyper 0.3.4 Vyperlang Vyper 0.3.5 Vyperlang Vyper 0.3.6 Vyperlang Vyper 0.3.7 Vyperlang Vyper 0.3.8 Vyperlang Vyper 0.3.9	6

References

https://github.com/vyperlang/vyper/pull/3626
https://github.com/vyperlang/vyper/pull/3626
https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97
https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97