CVE-2024-32646

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m	Vendor Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*

History

02 Jan 2025, 22:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:vyperlang:vyper::::::python::*
First Time		Vyperlang Vyperlang vyper
CWE		NVD-CWE-Other
References	~~() https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m -~~	() https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m - Vendor Advisory

21 Nov 2024, 09:15

Type	Values Removed	Values Added
References	~~() https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m -~~	() https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m -

26 Apr 2024, 12:58

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-25 18:15

Updated : 2025-01-02 22:52

NVD link : CVE-2024-32646

Mitre link : CVE-2024-32646

CVE.ORG link : CVE-2024-32646

JSON object : View

Products Affected

vyperlang

vyper

CWE

CWE-20

Improper Input Validation

NVD-CWE-Other

{"id": "CVE-2024-32646", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-04-25T18:15:08.780", "references": [{"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.\n\n"}, {"lang": "es", "value": "Vyper es un lenguaje de contrato inteligente pit\u00f3nico para la m\u00e1quina virtual Ethereum. En las versiones 0.3.10 y anteriores, el uso de la funci\u00f3n incorporada `slice` puede generar una vulnerabilidad de doble evaluaci\u00f3n cuando el argumento del b\u00fafer es `msg.data`, `self.code` o `.code` y el ` Los argumentos de inicio o longitud tienen efectos secundarios. Se puede activar f\u00e1cilmente solo con las versiones \"<0.3.4\", ya que \"0.3.4\" introdujo el s\u00edmbolo \u00fanico de valla. No se encontraron contratos de producci\u00f3n vulnerables. Adem\u00e1s, la doble evaluaci\u00f3n de los efectos secundarios deber\u00eda poder descubrirse f\u00e1cilmente en las pruebas de los clientes. Como tal, el impacto es bajo. Al momento de la publicaci\u00f3n, no hay versiones fijas disponibles."}], "lastModified": "2025-01-02T22:52:15.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "CEC5BCE2-DB5C-49EB-A302-F11E4E02F9BD", "versionEndExcluding": "0.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}