CVE-2025-47285 – Vyper Ethereum Virtual Machine Side-Effect Evaluation Vulnerability

CVE ID : CVE-2025-47285

Published : May 15, 2025, 6:15 p.m. | 43 minutes ago

Description : Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b””`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b”” if self.do_some_side_effect() else b””`. The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don’t have side effects in expressions which construct zero-length bytestrings.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…