CVE-2023-32059: Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls
(updated )
Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments
provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,
typechecking is bypassed. In the bar()
function in the following code, self.foo(13)
is compiled to
self.foo(13,12)
instead of self.foo(13,1337)
.
@internal
def foo(a:uint256 = 12, b:uint256 = 1337):
pass
@internal
def bar():
self.foo(13)
note that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.
References
- github.com/advisories/GHSA-ph9x-4vc9-m39g
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac
- github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g
- nvd.nist.gov/vuln/detail/CVE-2023-32059
Detect and mitigate CVE-2023-32059 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →