What is CVE-2024-24563?

CVE-2024-24563 is a critical-severity vulnerability in Vyperlang Vyper, classified under Improper Validation of Array Index. CVSS score: 9.8/10. Published 2024-02-07.

How severe is CVE-2024-24563?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Vulnerability in Vyperlang Vyper

CVE-2024-24563

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as…

EPSS: 0.002 (37.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Vyperlang Vyper — versions <= 0.3.10

Weakness classification (CWE)

CWE-129 — Improper Validation of Array Index

References

https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2 (x_refsource_CONFIRM)
https://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541 (x_refsource_MISC)
https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137 (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-24563?: CVE-2024-24563 is a critical-severity vulnerability in Vyperlang Vyper, classified under Improper Validation of Array Index. CVSS score: 9.8/10. Published 2024-02-07.
How severe is CVE-2024-24563?: Critical severity. CVSS v3 base score is 9.8 out of 10.