Miggo Logo
Miggo Vulnerability Database
CVE-2018-18920

CVE-2018-18920: Py-EVM is vulnerable to arbitrary bytecode injection

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-18920
GHSA ID
GHSA-vqgp-4jgj-5j64
EPSS Score
0.72987%
CWE
CWE-119
Published
11/21/2018
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
py-evmpip<= 0.2.0a33

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references vm.execute_bytecode as the entry point for triggering the issue, indicating improper input handling or gas enforcement. The stack corruption (via computation._stack.values) points to a failure in type validation during stack operations. While execute_bytecode is directly implicated (high confidence), the exact stack-handling functions are inferred from the error context (medium confidence due to lack of explicit code references).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Py-*VM v*.*.*-*lp**.** *llows *tt**k*rs to m*k* * vm.*x**ut*_*yt**o** **ll t**t tri***rs *omput*tion._st**k.v*lu*s wit* '"st**k": [***, ***, *]' w**r* *'\x' w*s *xp**t**, r*sultin* in *n *x**ution **ilur* ****us* o* *n inv*li* op*o**. T*is is r*port*

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s vm.*x**ut*_*yt**o** *s t** *ntry point *or tri***rin* t** issu*, in*i**tin* improp*r input **n*lin* or **s *n*or**m*nt. T** st**k *orruption (vi* *omput*tion._st**k.v*lu*s) points to * **ilur* in typ* v*li**tio