Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls
CVE-2023-32059

7.5HIGH

Key Information:

Vendor: Vyperlang
Status: Vyper
Vendor: CVE Published:; 11 May 2023

What is CVE-2023-32059?

The Vyper smart contract language for Ethereum has a vulnerability in how it handles internal calls with default arguments in versions prior to 0.3.8. Specifically, the compilation of these calls occurs incorrectly; the default arguments are added from left-to-right instead of the expected right-to-left. This misalignment can lead to a bypass of type checking if incompatible types are passed. Furthermore, the handling of keyword arguments for internal functions is not well documented, introducing potential exploitation paths by developers unfamiliar with this feature. The issue has been resolved in Vyper version 0.3.8.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vyper < 0.3.8

References

https://github.com/vyperlang/vyper/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/vyperlang/vyper/commit/c3e68c302aa6e14...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 11, 2023
Vulnerability Reserved
May 1, 2023

JSON

Vyperlang

What is CVE-2023-32059?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.