CVE-2024-32647
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)
Summary
Vyper is a Pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. The `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the `args` argument to the stack, causing it to be evaluated multiple times instead of retrieving the value from the stack.
Impact
This double evaluation of the `args` argument with side-effects could potentially lead to unintended code execution or denial of service. However, no vulnerable production contracts were found, and the double evaluation should be easily discoverable in client tests, so the overall impact is considered low.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
As of the time of publication, no fixed versions were available for Vyper 0.3.10 and prior versions affected by this vulnerability.
Mitigation
While no official mitigation is provided, it is recommended to update to the latest patched version of Vyper once it becomes available. In the meantime, carefully review any use of the `create_from_blueprint` builtin with `raw_args=True` and ensure that the `args` argument does not have any unintended side-effects.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Timeline
NVD published the first details for CVE-2024-32647
A CVSS base score of 5.3 has been assigned.
Feedly found the first article mentioning CVE-2024-32647. See article
This CVE started to trend in security discussions
EPSS Score was set to: 0.04% (Percentile: 8.2%)
This CVE stopped trending in security discussions
EPSS Score was set to: 0.04% (Percentile: 8.3%)