Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-ph9x-4vc9-m39g

GitHub Security Advisory

Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments
provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,
typechecking is bypassed. In the `bar()` function in the following code, `self.foo(13)` is compiled to
`self.foo(13,12)` instead of `self.foo(13,1337)`.

```vyper
@internal
def foo(a:uint256 = 12, b:uint256 = 1337):
pass

@internal
def bar():
self.foo(13)
```

note that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.

### Patches
patched in c3e68c302aa6e1429946473769dd1232145822ac

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

### References
_Are there any links users can visit to find out more?_

Affected Packages

PyPI vyper
Affected versions: 0 (fixed in 0.3.8)

Related CVEs

CVE-2023-32059

Key Information

GHSA ID
GHSA-ph9x-4vc9-m39g
Published
May 12, 2023 8:21 PM
Last Modified
November 19, 2024 4:33 PM
CVSS Score
7.5 /10
Primary Ecosystem
PyPI
Primary Package
vyper
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.