SCA: security update for vyper (GHSA-2q8v-3gqq-4f8p)

critical Tenable Self-Hosted Container Security Plugin ID 421486

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can
write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid
data. The root cause is that the `build_IR` for `concat` doesn't properly adhere to the API of copy
functions (for `>=0.3.2` the `copy_bytes` function). A contract search was performed and no vulnerable
contracts were found in production. The buffer overflow can result in the change of semantics of the
contract. The overflow is length-dependent and thus it might go unnoticed during contract testing.
However, certainly not all usages of concat will result in overwritten valid data as we require it to be
in an internal function and close to the return statement where other memory allocations don't occur. This
issue has been addressed in 0.4.0. (CVE-2024-22419)

See Also

https://github.com/advisories/GHSA-2q8v-3gqq-4f8p

Plugin Details

Severity: Critical

ID: 421486

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-22419

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/19/2024

Vulnerability Publication Date: 1/18/2024

Reference Information

CVE: CVE-2024-22419