PyPi: Vyper

CVE-2023-42441

Safety vulnerability ID: 61307

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 18, 2023 Updated at Oct 15, 2024

Scan your Python projects for vulnerabilities →

Advisory

Vyper is affected by CVE-2023-42441: Starting in version 0.2.9 and prior to version 0.3.10, locks of the type '@nonreentrant("")' or '@nonreentrant('')' do not produce reentrancy checks at runtime. As a workaround, ensure the lock name is a non-empty string.
https://github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m

Affected package

vyper

Latest version: 0.4.0

Vyper: the Pythonic Programming Language for the EVM

Affected versions

Fixed versions

Vulnerability changelog

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string. See CVE-2023-42441.

MISC:https://github.com/vyperlang/vyper/commit/0b740280c1e3c5528a20d47b29831948ddcc6d83: https://github.com/vyperlang/vyper/commit/0b740280c1e3c5528a20d47b29831948ddcc6d83
MISC:https://github.com/vyperlang/vyper/pull/3605: https://github.com/vyperlang/vyper/pull/3605
MISC:https://github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m: https://github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.3

CVSS v3 Details

MEDIUM 5.3

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): LOW
Availability Availability (A): NONE