CVE-2024-22419
CVSS 3.1 Score 9.8 of 10 (high)
Details
Summary
CVE-2024-22419 is a vulnerability affecting the Vyper Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in function can write beyond the allocated memory buffer, resulting in the overwriting of valid data. This issue stems from a flaw in the `build_IR` for `concat` that does not follow the copy functions' API. Although no vulnerable contracts were detected in production, this length-dependent buffer overflow could alter contract semantics and go undetected during testing. Vyper users are urged to update as soon as possible with the fix introduced in commit `55e18f6d1`.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Vyperlang Vyper
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions