CVE-2024-26149: Vyper's `_abi_decode` vulnerable to Memory Overflow

February 26, 2024

Summary

If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode on the same input.

References

github.com/advisories/GHSA-9p8r-4xp4-gw5w
github.com/vyperlang/vyper
github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w
nvd.nist.gov/vuln/detail/CVE-2024-26149

Detect and mitigate CVE-2024-26149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →