{"id":"PYSEC-2023-191","details":"Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release `0.3.10`. Users are advised to reference pull request #3626.","aliases":["CVE-2023-42460","GHSA-cx2q-hfxr-rj97"],"modified":"2023-11-08T04:13:28.966407Z","published":"2023-09-27T15:19:00Z","references":[{"type":"ADVISORY","url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97"},{"type":"FIX","url":"https://github.com/vyperlang/vyper/pull/3626"}],"affected":[{"package":{"name":"vyper","ecosystem":"PyPI","purl":"pkg:pypi/vyper"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.3.4"},{"fixed":"0.3.10"}]}],"versions":["0.3.10rc1","0.3.10rc2","0.3.10rc3","0.3.10rc4","0.3.10rc5","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/vyper/PYSEC-2023-191.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}