CVE-2024-32648

EUVD-2024-0179
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
vyperlangvyper
𝑥
< 0.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177
https://github.com/vyperlang/vyper/issues/2455
https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9
https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177
https://github.com/vyperlang/vyper/issues/2455
https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9