CVE-2025-47774 Information

Description

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1 the slice() builtin can elide side effects when the output length is 0 and the source bytestring is a builtin (msg.data or <address>.code). The reason is that for these source locations the check that length >= 1 is skipped. The result is that a 0-length bytestring constructed with slice can be passed to make_byte_array_copier which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the start argument may be elided when the length argument is 0 e.g. slice(msg.data self.do_side_effect() 0). The fix in pull request 4645 disallows any invocation of slice() with length 0 including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.

Reference

https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319 https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191 https://github.com/vyperlang/vyper/pull/4645 https://github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfm