MEDIUM 5.3
PYSEC-2024-205
Details
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and returned by `extract32`. This vulnerability is fixed in 0.4.0.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / vyper
Introduced in:
0 Fixed in: 3d9c537142fb99b2672f21e2057f5f202cde194f Fix
pip install --upgrade 'vyper>=3d9c537142fb99b2672f21e2057f5f202cde194f' References
- https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx [ADVISORY]
- https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx [EVIDENCE]
- https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f [FIX]
- https://github.com/advisories/GHSA-4hwq-4cpm-8vmx [ADVISORY]