CVE-2023-41052
LOWvyperlang/vyper < 0.3.9 and pypi/vyper < 0.3.10rc1 - Always-Incorrect Control Flow Implementation in Builtin Functions
Title source: llmDescription
Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq
Patch x_refsource_misc
https://github.com/vyperlang/vyper/pull/3583
Scores
CVSS v3
3.7
EPSS
0.0046
EPSS Percentile
35.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-670
Status
published
Products (2)
pypi/vyper
0 - 0.3.10rc1PyPI
vyperlang/vyper
< 0.3.9
Published
Sep 04, 2023
Tracked Since
Feb 18, 2026