CVE-2023-42460

MEDIUMNVD 5.35.3—

5.3

Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.

CVSS v3: 5.3
EG Score: 5.3(medium)
EPSS: 15.1%
KEV: Not listed

Published

September 27, 2023

Last Modified

November 21, 2024

References (4)

security-advisories@githubhttps://github.com/vyperlang/vyper/pull/3626
security-advisories@githubhttps://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97
af854a3a-2127-422b-91ae-364da2661108https://github.com/vyperlang/vyper/pull/3626
af854a3a-2127-422b-91ae-364da2661108https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97

Affected Packages

(1 across 1 ecosystem)

PyPI(1)

Package	Vulnerable range	Fixed in	Dependents
vyper	0.3.10rc1 ... 0.3.9 (11 versions)	0.3.10	—

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-682Incorrect Calculation

Data Freshness Timeline

(refreshed 8× in last 7d / 8× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-27 13:39 UTCepss_batch
2026-05-27 13:39 UTCepss_batch
2026-05-26 13:43 UTCepss_batch
2026-05-26 13:43 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-24 17:01 UTCEG score recompute

Frequently asked(5)

What is CVE-2023-42460?

CVE-2023-42460 is a medium vulnerability published on September 27, 2023. Vyper is a Pythonic Smart Contract Language for the EVM. The abidecode() function does not validate input when it is nested in an expression. Uses of abidecode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but…

When was CVE-2023-42460 disclosed?

CVE-2023-42460 was first published in the National Vulnerability Database on September 27, 2023, with the most recent update on November 21, 2024. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2023-42460 actively exploited?

CVE-2023-42460 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 15.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2023-42460?

CVE-2023-42460 has a CVSS v3 base score of 5.3 (NVD).

How do I remediate CVE-2023-42460?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2023-42460, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-42460

Explore →

Is Your Infrastructure Affected by CVE-2023-42460?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs