Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-cx2q-hfxr-rj97

GitHub Security Advisory

Vyper's `_abi_decode` input not validated in complex expressions

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
`_abi_decode()` does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked):
```vyper
x: int128 = _abi_decode(slice(msg.data, 4, 32), int128)
```

however, the following example is not bounds checked
```vyper
@external
def abi_decode(x: uint256) -> uint256:
a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1
return a # abi_decode(256) returns: 257
```

the issue can be triggered by constructing an example where the output of `_abi_decode` is not internally passed to `make_setter` (an internal codegen routine) or other input validating routine.

### Patches
https://github.com/vyperlang/vyper/pull/3626

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

### References
_Are there any links users can visit to find out more?_

Affected Packages

PyPI vyper
Affected versions: 0.3.4 (fixed in 0.3.10)

Related CVEs

CVE-2023-42460

Key Information

GHSA ID
GHSA-cx2q-hfxr-rj97
Published
September 26, 2023 7:34 PM
Last Modified
November 19, 2024 5:23 PM
CVSS Score
5.0 /10
Primary Ecosystem
PyPI
Primary Package
vyper
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.