Vulnerability Description
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vyperlang | Vyper | < 0.3.8 |
Related Weaknesses (CWE)
References
- https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822Patch
- https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39gExploitVendor Advisory
- https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822Patch
- https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39gExploitVendor Advisory
FAQ
What is CVE-2023-32059?
CVE-2023-32059 is a vulnerability with a CVSS score of 7.5 (HIGH). Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of argumen...
How severe is CVE-2023-32059?
CVE-2023-32059 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-32059?
Check the references section above for vendor advisories and patch information. Affected products include: Vyperlang Vyper.