CVE Tools
Sign in

CVE-2024-32481

vyper's range(start, start + N) reverts for negative numbers

Published: Apr 25, 2024Updated: May 5, 2025 Sources: CVE List NVD GHSACWE-681
NVD MITRE
5.3CVSSMEDIUM
EPSS Score
0.8%
Top 48.5%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Starting in version 0.3.8 and prior to version 0.4.0b1, when looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution will always revert. This issue is caused by an incorrect assertion inserted by the code generation of the range `stmt.parse_For_range()`. The issue arises when `start` is signed, instead of using `sle`, `le` is used and `start` is interpreted as an unsigned integer for the comparison. If it is a negative number, its 255th bit is set to `1` and is hence interpreted as a very large unsigned integer making the assertion always fail. Any contract having a `range(start, start + N)` where `start` is a signed integer with the possibility for `start` to be negative is affected. If a call goes through the loop while supplying a negative `start` the execution will revert. Version 0.4.0b1 fixes the issue.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-681

Affected Products

vypervyperlang
Mixed
DevTools & CI / build-test-tools
vyperPyPIOSS Libraries
vyperlangoss-projectDevTools & CI
pypipackage-ecosystemOSS Libraries

Exploitability

Official Patch Available

References

https://github.com/vyperlang/vyper/security/advisories/GHSA-ppx5-q359-pvwj
github.com
https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868
github.com
https://github.com/vyperlang/vyper/commit/5319cfbe14951e007ccdb323257e5ada869b35d5
github.com
and 3 more references View all →

Timeline

Published
Apr 25, 2024
Last Updated
May 5, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-32481 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows