GHSA-4w26-8p97-f4jp

Опубликовано: 21 фев. 2025

Источник: github

Github: Прошло ревью

CVSS4: 2.3

Описание

AugAssign evaluation order causing OOB write within the object in Vyper

Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. In other words, the following code

def poc(): a: DynArray[uint256, 2] = [1, 2] a[1] += a.pop()

is equivalent to:

def poc(): a: DynArray[uint256, 2] = [1, 2] a[1] += a[len(a) - 1] a.pop()

rather than:

def poc(): a: DynArray[uint256, 2] = [1, 2] s: uint256 = a[1] t: uint256 = a.pop() a[1] = s + t # reverts due to oob access

Ссылки

Пакеты

Наименование

vyper

pip

Затронутые версииВерсия исправления

<= 0.4.0

0.4.1

EPSS

Процентиль: 53%

0.00301

Низкий

2.3 Low

CVSS4

CVE ID

CVE-2025-27105

Дефекты

CWE-787

Связанные уязвимости

CVE-2025-27105

CVSS3: 9.1

nvd

12 месяцев назад

vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. This issue has been addressed in version 0.4.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS

Процентиль: 53%

0.00301

Низкий

2.3 Low

CVSS4

CVE ID

CVE-2025-27105

Дефекты

CWE-787