CVE-2025-47774
Description
Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the slice() builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (msg.data or <address>.code). The reason is that for these source locations, the check that length >= 1 is skipped. The result is that a 0-length bytestring constructed with slice can be passed to make_byte_array_copier, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the start argument may be elided when the length argument is 0, e.g. slice(msg.data, self.do_side_effect(), 0). The fix in pull request 4645 disallows any invocation of slice() with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | <= 0.4.2rc1 | — |
Patches
11fdfd69fbe97Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3vcg-j39x-cwfmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47774ghsaADVISORY
- github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.pynvdWEB
- github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.pynvdWEB
- github.com/vyperlang/vyper/pull/4645nvdWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfmnvdWEB
News mentions
0No linked articles in our index yet.