ghsa-4w26-8p97-f4jp
Vulnerability from github
Published
2025-02-21 22:43
Modified
2025-02-21 22:43
Summary
AugAssign evaluation order causing OOB write within the object in Vyper
Details

Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. In other words, the following code

vyper def poc(): a: DynArray[uint256, 2] = [1, 2] a[1] += a.pop()

is equivalent to: vyper def poc(): a: DynArray[uint256, 2] = [1, 2] a[1] += a[len(a) - 1] a.pop() rather than: vyper def poc(): a: DynArray[uint256, 2] = [1, 2] s: uint256 = a[1] t: uint256 = a.pop() a[1] = s + t # reverts due to oob access

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27105"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-21T22:43:33Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. In other words, the following code\n\n```vyper\ndef poc():\n    a: DynArray[uint256, 2] = [1, 2]\n    a[1] += a.pop()\n```\n\nis equivalent to:\n```vyper\ndef poc():\n    a: DynArray[uint256, 2] = [1, 2]\n    a[1] += a[len(a) - 1]\n    a.pop()\n```\nrather than:\n```vyper\ndef poc():\n    a: DynArray[uint256, 2] = [1, 2]\n    s: uint256 = a[1]\n    t: uint256 = a.pop()\n    a[1] = s + t  # reverts due to oob access\n```",
  "id": "GHSA-4w26-8p97-f4jp",
  "modified": "2025-02-21T22:43:33Z",
  "published": "2025-02-21T22:43:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "AugAssign evaluation order causing OOB write within the object in Vyper"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.