CVE-2023-42460

low-risk

Published 2023-09-27

Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release `0.3.10`. Users are advised to reference pull request #3626.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Vyper

Affected Vendors

Vyperlang

References (4)

Patch https://github.com/vyperlang/vyper/pull/3626

Exploit https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97

Patch https://github.com/vyperlang/vyper/pull/3626

Exploit https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal