CVE-2023-42441: Vyper has incorrect re-entrancy lock when key is empty string
(updated )
Locks of the type @nonreentrant("")
or @nonreentrant('')
do not produce reentrancy checks at runtime.
@nonreentrant("") # unprotected
@external
def bar():
pass
@nonreentrant("lock") # protected
@external
def foo():
pass
References
- github.com/advisories/GHSA-3hg2-r75x-g69m
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-305.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/commit/0b740280c1e3c5528a20d47b29831948ddcc6d83
- github.com/vyperlang/vyper/pull/3605
- github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m
- nvd.nist.gov/vuln/detail/CVE-2023-42441
Detect and mitigate CVE-2023-42441 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →