Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jeDJxLWhmeHItcmo5N84AA2C3

Vyper's `_abi_decode` input not validated in complex expressions

Impact

_abi_decode() does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked):

x: int128 = _abi_decode(slice(msg.data, 4, 32), int128)

however, the following example is not bounds checked

@external
def abi_decode(x: uint256) -> uint256:
    a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1
    return a  # abi_decode(256) returns: 257

the issue can be triggered by constructing an example where the output of _abi_decode is not internally passed to make_setter (an internal codegen routine) or other input validating routine.

Patches

https://github.com/vyperlang/vyper/pull/3626

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Permalink: https://github.com/advisories/GHSA-cx2q-hfxr-rj97
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jeDJxLWhmeHItcmo5N84AA2C3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 2 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00061
EPSS Percentile: 0.27975

Identifiers: GHSA-cx2q-hfxr-rj97, CVE-2023-42460
References:

• https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97
• https://nvd.nist.gov/vuln/detail/CVE-2023-42460
• https://github.com/vyperlang/vyper/pull/3626
• https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-191.yaml
• https://github.com/advisories/GHSA-cx2q-hfxr-rj97

Repository: https://github.com/vyperlang/vyper
Blast Radius: 12.6

Affected Packages