CVE-2023-42460: Vyper's `_abi_decode` input not validated in complex expressions

September 26, 2023 (updated November 19, 2024)

_abi_decode() does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked):

x: int128 = _abi_decode(slice(msg.data, 4, 32), int128)

however, the following example is not bounds checked

@external
def abi_decode(x: uint256) -> uint256:
a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1
return a  # abi_decode(256) returns: 257

the issue can be triggered by constructing an example where the output of _abi_decode is not internally passed to make_setter (an internal codegen routine) or other input validating routine.

References

github.com/advisories/GHSA-cx2q-hfxr-rj97
github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-191.yaml
github.com/vyperlang/vyper
github.com/vyperlang/vyper/pull/3626
github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97
nvd.nist.gov/vuln/detail/CVE-2023-42460

Detect and mitigate CVE-2023-42460 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →