Execution Flaw in Vyper Smart Contract Language for EVM
CVE-2025-27104

2.3LOW

Key Information:

Vendor: Vyperlang
Status: Vyper
Vendor: CVE Published:; 21 February 2025

Summary

The Vyper smart contract language for the Ethereum Virtual Machine (EVM) is susceptible to an execution flaw that involves multiple evaluations of a single expression in the iterator target of a for loop. Although the iterator expression itself does not allow for multiple writes, it can read side effects from the loop body, potentially causing erroneous results. Specifically, iterator reads that include conditional expressions may lead to interleaved read and write actions within the loop, resulting in unexpected behaviors in smart contract execution. Developers are strongly advised to upgrade to version 0.4.1, which is expected to resolve this issue, as there are no known workarounds available.

Affected Version(s)

vyper < 0.4.1

References

https://github.com/vyperlang/vyper/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/vyperlang/vyper/pull/4488

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 21, 2025
Vulnerability Reserved
Feb 18, 2025