CVE-2025-47285

Vulnerability Description

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b""`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b"" if self.do_some_side_effect() else b""`. The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.

Related Weaknesses (CWE)

References

• https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316
• https://github.com/vyperlang/vyper/pull/4644
• https://github.com/vyperlang/vyper/security/advisories/GHSA-qhr6-mgqr-mchm

FAQ

What is CVE-2025-47285?

CVE-2025-47285 is a documented vulnerability. Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is ...

How severe is CVE-2025-47285?

CVSS scoring is not yet available for CVE-2025-47285. Check NVD for updates.

Is there a patch for CVE-2025-47285?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.