Home > Vulnerability Database > CVE-2024-24561

Mend.io Vulnerability Database

CVE-2024-24561

Good to know:

Date: February 1, 2024

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.

Language: Python

Severity Score

9.8

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-24561

Url: https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c

Url: https://github.com/vyperlang/vyper/issues/3756

Url: https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457

Url: https://www.mend.io/vulnerability-database/CVE-2024-24561

Severity Score

9.8

Weakness Type (CWE)

Buffer Errors

CWE-119

Out-of-bounds Write

CWE-787

Top Fix

Upgrade Version

Upgrade to version vyper - 0.4.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-24561

Good to know:

Date: February 1, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?