GSA_kwCzR0hTQS1jeDJxLWhmeHItcmo5N84AA2C3

Moderate CVSS: 6.0 EPSS: 0.00048% (0.14638 Percentile) EPSS:

Permalink JSON

Vyper's `_abi_decode` input not validated in complex expressions

Affected Packages	Affected Versions	Fixed Versions
pypi:vyper	>= 0.3.4, < 0.3.10	0.3.10
5 Dependent packages 236 Dependent repositories 205,117 Downloads last month Affected Version Ranges All affected versions 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9 All unaffected versions 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.10, 0.4.0, 0.4.1, 0.4.2, 0.4.3

Impact

_abi_decode() does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked):

x: int128 = _abi_decode(slice(msg.data, 4, 32), int128)

however, the following example is not bounds checked

@external
def abi_decode(x: uint256) -> uint256:
    a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1
    return a  # abi_decode(256) returns: 257

the issue can be triggered by constructing an example where the output of _abi_decode is not internally passed to make_setter (an internal codegen routine) or other input validating routine.

Patches

https://github.com/vyperlang/vyper/pull/3626

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

References:

Identifiers

GHSA-cx2q-hfxr-rj97

CVE-2023-42460

Risk

Severity

Moderate

CVSS

CVSS Score: 6.0

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00048

EPSS Percentile: 0.14638

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/vyperlang/vyper

Date and time

Published

almost 2 years ago

Updated

8 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories