CVE-2022-24845 – vyper

Package

Manager: pip
Name: vyper
Vulnerable Version: >=0 <0.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00376 pctl0.5841

Details

Integer bounds error in Vyper ### Impact in the following code, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. as of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions. ```vyper interface iface: def returns_int128() -> int128: view def returns_Bytes33() -> Bytes[33]: view x: iface @external def call_out(): x: int128 = self.x.returns_int128() # affected, <0.3.0 y: uint256 = convert(self.x.returns_int128(), uint256) # affected, <0.3.2 z: Bytes[33] = concat(self.x.returns_Bytes33(), b"") # affected >= 0.3.0, <0.3.2 ``` ### Patches 0.3.2 (as of https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b) ### Workarounds Break up operations involving external calls into multiple statements. For instance, instead of the example above, use ``` x: int128 = self.x.returns_int128() y: uint256 = convert(x, uint256) ```

Metadata

Created: 2022-04-22T20:24:13Z
Modified: 2022-04-22T20:24:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-j2x6-9323-fp7h/GHSA-j2x6-9323-fp7h.json
CWE IDs: ["CWE-190"]
Alternative ID: GHSA-j2x6-9323-fp7h
Finding: F111
Auto approve: 1