CVE-2024-24559

Description

Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot be triggered from regular vyper code). `sha3_64` is used for retrieval in mappings. No flow that would cache the `key` was found so the issue shouldn't be possible to trigger when compiling the compiler-generated `IR`. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available.

How to fix CVE-2024-24559

To remediate CVE-2024-24559, upgrade the affected package to a fixed version below.

• —upgrade to 0.4.0 or later
• —upgrade to 0.4.0b1 or later

Is CVE-2024-24559 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 0.4.0
• from 0, < 0.4.0b1

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-24559
• PATCHgithub.com/vyperlang/vyper
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yaml
• WEBgithub.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586