Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-24559

Good to know:

icon
icon

Date: February 5, 2024

Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the "IR" for "sha3_64". Concretely, the "height" variable is miscalculated. The vulnerability can't be triggered without writing the "IR" by hand (that is, it cannot be triggered from regular vyper code). "sha3_64" is used for retrieval in mappings. No flow that would cache the "key" was found so the issue shouldn't be possible to trigger when compiling the compiler-generated "IR". This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available.

Language: Python

Severity Score

Related Resources (8)

https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586
https://github.com/vyperlang/vyper/pull/4063
https://github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv
https://github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652
https://nvd.nist.gov/vuln/detail/CVE-2024-24559
https://github.com/vyperlang/vyper
https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml
https://www.mend.io/vulnerability-database/CVE-2024-24559

Severity Score

Weakness Type (CWE)

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

Top Fix

icon

Upgrade Version

Upgrade to version vyper - 0.4.0;vyper - 0.4.0b1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us