CVE-2023-42460

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-42460

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42460.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-42460

Aliases

Published

2023-09-26T18:47:09.721Z

Modified

2026-04-02T09:21:37.533293Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

_abi_decode input not validated in complex expressions in Vyper

Details

Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.

Database specific

{
    "cwe_ids": [
        "CWE-682"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42460.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/vyperlang/vyper

Affected ranges

Type: GIT
Repo: https://github.com/vyperlang/vyper
Events: Introduced

f31f0ec406bbbd2055f125abd17278e3ac2ed84f

Fixed

9136169468f317a53b4e7448389aa315f90b95ba

Affected versions

v0.*

v0.3.10rc1

v0.3.10rc2

v0.3.10rc3

v0.3.10rc4

v0.3.10rc5

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42460.json"