CVE-2023-41052

low-risk

Published 2023-09-04

Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.7/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Vyper

Affected Vendors

Vyperlang

References (4)

Patch https://github.com/vyperlang/vyper/pull/3583

Exploit https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq

Patch https://github.com/vyperlang/vyper/pull/3583

Exploit https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal