vyper
PyPI36 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting vyperpage 1 of 1
- CVE-2021-41121HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.02021-10-06
vulnerable: 0.1.0b1 ... 0.2.9 (33 versions)
Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the sta…
- CVE-2021-41122MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.3.02021-10-05
vulnerable: 0.1.0b1 ... 0.2.9 (33 versions)
Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0.
- CVE-2022-24787HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.22022-04-04
vulnerable: 0.1.0b1 ... 0.3.1 (35 versions)
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty non…
- CVE-2022-24788HIGHCVSS 7.1EG 7.1✓ Fixed in 0.3.22022-04-13
vulnerable: 0.1.0b1 ... 0.3.1 (35 versions)
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns `bytes` generates bytecode whic…
- CVE-2022-24845HIGHCVSS 8.8EG 8.8✓ Fixed in 0.3.22022-04-13
vulnerable: 0.1.0b1 ... 0.3.1 (35 versions)
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretati…
- CVE-2022-29255HIGHCVSS 8.2EG 8.2✓ Fixed in 0.3.42022-06-09
vulnerable: 0.1.0b1 ... 0.3.3 (37 versions)
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This…
- CVE-2023-30629HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.82023-04-24
vulnerable: 0.3.1 ... 0.3.7 (7 versions)
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_o…
- CVE-2023-30837HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.82023-05-08
vulnerable: 0.1.0b1 ... 0.3.7 (41 versions)
Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.
- CVE-2023-31146HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.82023-05-11
vulnerable: 0.1.0b1 ... 0.3.7 (41 versions)
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case wher…
- CVE-2023-32058HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.82023-05-11
vulnerable: 0.1.0b1 ... 0.3.7 (41 versions)
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type …
- CVE-2023-32059HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.82023-05-11
vulnerable: 0.1.0b1 ... 0.3.7 (41 versions)
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults a…
- CVE-2023-32675LOWCVSS 3.7EG 3.7✓ Fixed in 0.3.82023-05-19
vulnerable: 0.1.0b1 ... 0.3.7 (41 versions)
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpay…
- CVE-2023-37902MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.3.92023-07-25
vulnerable: 0.1.0b1 ... 0.3.8 (42 versions)
Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin wi…
- CVE-2023-39363MEDIUMCVSS 5.9EG 5.92023-08-07
vulnerable: 0.1.0b1 ... 0.4.3rc1 (74 versions)
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock re…
- CVE-2023-40015LOWCVSS 3.7EG 5.3✓ Fixed in 0.3.10rc12023-09-04
vulnerable: 0.1.0b1 ... 0.3.9 (43 versions)
Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div…
- CVE-2023-41052LOWCVSS 3.7EG 3.7✓ Fixed in 0.3.10rc12023-09-04
vulnerable: 0.1.0b1 ... 0.3.9 (43 versions)
Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is pro…
- CVE-2023-42441MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.3.102023-09-18
vulnerable: 0.2.10 ... 0.3.9 (23 versions)
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at run…
- CVE-2023-42443HIGHCVSS 8.1EG 8.1✓ Fixed in 0.3.102023-09-18
vulnerable: 0.1.0b1 ... 0.3.9 (48 versions)
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corru…
- CVE-2023-42460MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.3.102023-09-27
vulnerable: 0.3.10rc1 ... 0.3.9 (11 versions)
Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed res…
- CVE-2023-46247HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.82023-12-13
vulnerable: 0.1.0b1 ... 0.3.7 (41 versions)
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a st…
- CVE-2024-22419HIGHCVSS 7.3EG 7.3✓ Fixed in 0.4.0b12024-01-18
vulnerable: 0.1.0b1 ... 0.3.9 (49 versions)
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the…
- CVE-2024-24559LOWCVSS 3.7EG 3.7✓ Fixed in 0.4.0b12024-02-05
vulnerable: 0.1.0b1 ... 0.3.9 (49 versions)
Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writ…
- CVE-2024-24560LOWCVSS 3.7EG 3.7✓ Fixed in 0.4.0b12024-02-02
vulnerable: 0.1.0b1 ... 0.3.9 (49 versions)
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the…
- CVE-2024-24561CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.4.0b12024-02-01
vulnerable: 0.1.0b1 ... 0.3.9 (49 versions)
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a…
- CVE-2024-24563CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.4.0b12024-02-07
vulnerable: 0.1.0b1 ... 0.3.9 (49 versions)
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as …
- CVE-2024-24564LOWCVSS 3.7EG 3.7✓ Fixed in 0.4.02024-02-26
vulnerable: 0.1.0b1 ... 0.4.0rc6 (61 versions)
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it cou…
- CVE-2024-24567MEDIUMCVSS 4.8EG 4.8✓ Fixed in 0.4.0b12024-01-30
vulnerable: 0.1.0b1 ... 0.3.9 (49 versions)
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall t…
- CVE-2024-26149LOWCVSS 3.7EG 3.7✓ Fixed in 0.4.0b12024-02-26
vulnerable: 0.1.0b1 ... 0.3.9 (49 versions)
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the d…
- CVE-2024-32481MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.4.0b12024-04-25
vulnerable: 0.3.10 ... 0.3.9 (8 versions)
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Starting in version 0.3.8 and prior to version 0.4.0b1, when looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution …
- CVE-2024-32645MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.4.02024-04-25
vulnerable: 0.1.0b1 ... 0.4.0rc6 (61 versions)
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract s…
- CVE-2024-32646MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.4.02024-04-25
vulnerable: 0.1.0b1 ... 0.4.0rc6 (61 versions)
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `…
- CVE-2024-32647MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.4.02024-04-25
vulnerable: 0.1.0b1 ... 0.4.0rc6 (61 versions)
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument ha…
- CVE-2024-32648MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.3.02024-04-25
vulnerable: 0.1.0b1 ... 0.2.9 (33 versions)
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionall…
- CVE-2024-32649MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.4.02024-04-25
vulnerable: 0.1.0b1 ... 0.4.0rc6 (61 versions)
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build…
- CVE-2025-47285NONECVSS 0.0EG 0.02025-05-15
vulnerable: 0.1.0b1 ... 0.4.2rc1 (71 versions)
Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the …
- CVE-2025-47774NONECVSS 0.0EG 0.02025-05-15
vulnerable: 0.1.0b1 ... 0.4.2rc1 (71 versions)
Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.d…
Check whether vyper is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for vyper CVEs against the assets you own.
Start Free Scan →