CVE-2024-24563: Vyper negative array index bounds checks
(updated )
Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn’t throw when spotting the usage of an int as an index for an array. Typically, negative integers are filtered out at runtime by the bounds checker, but small enough (i.e. large in magnitude, ex. -2**255 + 5) quantities combined with large enough arrays (at least 2**255 in length) can pass the bounds checker, resulting in unexpected behavior.
A contract search was performed, and no production contracts were found to be impacted.
References
- github.com/advisories/GHSA-52xq-j7v9-v4v2
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-150.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py
- github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py
- github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2
- nvd.nist.gov/vuln/detail/CVE-2024-24563
Detect and mitigate CVE-2024-24563 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →