Vulnerability Description
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions. Users are advised to upgrade. There is no known workaround for this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vyperlang | Vyper | < 0.3.2 |
Related Weaknesses (CWE)
References
- https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e47PatchThird Party Advisory
- https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7hExploitPatchThird Party Advisory
- https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e47PatchThird Party Advisory
- https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7hExploitPatchThird Party Advisory
FAQ
What is CVE-2022-24845?
CVE-2022-24845 is a vulnerability with a CVSS score of 8.8 (HIGH). Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. Thi...
How severe is CVE-2022-24845?
CVE-2022-24845 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24845?
Check the references section above for vendor advisories and patch information. Affected products include: Vyperlang Vyper.