Vyper Programming Language Vulnerability in Ethereum Virtual Machine
CVE-2025-47285

2.9LOW

Key Information:

Vendor

Vyperlang

Status
Vyper
Vendor
CVE Published:
15 May 2025

What is CVE-2025-47285?

The Vyper programming language for the Ethereum Virtual Machine contains a vulnerability in its concat() function, which may skip the evaluation of expressions with side effects when the length of an argument is zero. This issue arises from a fastpath in the implementation designed to enhance performance by bypassing the evaluation of such expressions for zero-length bytestrings. Although it is uncommon to create zero-length bytestrings with expressions that have side effects, this vulnerability could be exploited in specific scenarios. Developers are advised to avoid side effects within expressions constructing zero-length bytestrings to mitigate risks. A fix is being implemented and is expected to be included in the upcoming 0.4.2 release.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vyper <= 0.4.2rc1

References

https://github.com/vyperlang/vyper/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/vyperlang/vyper/pull/4644
x_refsource_MISC
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f3...
x_refsource_MISC

CVSS V4

Score:
2.9
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.