CVE-2024-24559: Vyper sha3 codegen bug
(updated )
There is an error in the stack management when compiling the IR for sha3_64. Concretely, the height variable is miscalculated.
The vulnerability can’t be triggered without writing the IR by hand. That is, it cannot be triggered from regular vyper code, it can only be triggered by using the fang binary directly (this binary used to be called vyper-ir prior to v0.3.4).
References
- github.com/advisories/GHSA-6845-xw22-ffxv
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py
- github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652
- github.com/vyperlang/vyper/pull/4063
- github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv
- nvd.nist.gov/vuln/detail/CVE-2024-24559
Detect and mitigate CVE-2024-24559 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →