CVE-2024-24560

CVE-2024-24560 is a low-severity security vulnerability in vyper (pip), affecting versions < 0.4.0. It is fixed in 0.4.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Vyper's external calls can overflow return data to return input buffer

When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.

This advisory is given a severity of "Low" because when the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.

Details

When arguments are packed for an external call, we create a buffer of size max(args, return_data) + 32. The input buffer is placed in this buffer (starting at byte 28), and the return buffer is allocated to start at byte 0. The assumption is that we can reuse the memory becase we will not be able to read past RETURNDATASIZE.

if fn_type.return_type is not None:
    return_abi_t = calculate_type_for_external_return(fn_type.return_type).abi_type

    # we use the same buffer for args and returndata,
    # so allocate enough space here for the returndata too.
    buflen = max(args_abi_t.size_bound(), return_abi_t.size_bound())
else:
    buflen = args_abi_t.size_bound()

buflen += 32  # padding for the method id

When data is returned, we unpack the return data by starting at byte 0. We check that RETURNDATASIZE is greater than the minimum allowed for the returned type:

if not call_kwargs.skip_contract_check:
    assertion = IRnode.from_list(
        ["assert", ["ge", "returndatasize", min_return_size]],
        error_msg="returndatasize too small",
    )
    unpacker.append(assertion)

This check ensures that any dynamic types returned will have a size of at least 64. However, it does not verify that RETURNDATASIZE is as large as the length word of the dynamic type.

As a result, if a contract expects a dynamic type to be returned, and the part of the return data that is read as length includes a size that is larger than the actual RETURNDATASIZE, the return data read from the buffer will overrun the actual return data size and read from the input buffer.

Proof of Concept

This contract calls an external contract with two arguments. As the call is made, the buffer includes:

  • byte 28: method_id
  • byte 32: first argument (0)
  • byte 64: second argument (hash)

The return data buffer begins at byte 0, and will return the returned bytestring, up to a maximum length of 96 bytes.

interface Zero:
    def sneaky(a: uint256, b: bytes32) -> Bytes[96]: view

@external
def test_sneaky(z: address) -> Bytes[96]:
    return Zero(z).sneaky(0, keccak256("oops"))

On the other side, imagine a simple contract that does not, in fact, return a bytestring, but instead returns two uint256s. I've implemented it in Solidity for ease of use with Foundry:

function sneaky(uint a, bytes32 b) external pure returns (uint, uint) {
    return (32, 32);
}

The return data will be parsed as a bytestring. The first 32 will point us to byte 32 to read the length. The second 32 will be perceived as the length. It will then read the next 32 bytes from the return data buffer, even though those weren't a part of the return data.

Since these bytes will come from byte 64, we can see above that the hash was placed there in the input buffer.

If we run the following Foundry test, we can see that this does in fact happen:

function test__sneakyZeroReturn() public {
    ZeroReturn z = new ZeroReturn();
    c = SuperContract(deployer.deploy("src/loose/", "ret_overflow", ""));
    console.logBytes(c.test_sneaky(address(z)));
}
Logs:
  0xd54c03ccbc84dd6002c98c6df5a828e42272fc54b512ca20694392ca89c4d2c6

Impact

Malicious or mistaken contracts returning the malformed data can result in overrunning the returned data and reading return data from the input buffer.

CVE-2024-24560 has a CVSS score of 3.7 (Low). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.4.0); upgrading removes the vulnerable code path.

Affected versions

vyper (< 0.4.0)

Security releases

vyper → 0.4.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Patched in https://github.com/vyperlang/vyper/pull/3925, https://github.com/vyperlang/vyper/pull/4091, https://github.com/vyperlang/vyper/pull/4144, https://github.com/vyperlang/vyper/pull/4060.

Frequently Asked Questions

  1. What is CVE-2024-24560? CVE-2024-24560 is a low-severity security vulnerability in vyper (pip), affecting versions < 0.4.0. It is fixed in 0.4.0.
  2. How severe is CVE-2024-24560? CVE-2024-24560 has a CVSS score of 3.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of vyper are affected by CVE-2024-24560? vyper (pip) versions < 0.4.0 is affected.
  4. Is there a fix for CVE-2024-24560? Yes. CVE-2024-24560 is fixed in 0.4.0. Upgrade to this version or later.
  5. Is CVE-2024-24560 exploitable, and should I be worried? Whether CVE-2024-24560 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-24560 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-24560? Upgrade vyper to 0.4.0 or later.

Other vulnerabilities in vyper

Stop the waste.
Protect your environment with Kodem.