Which versions of Vyper are affected by CVE-2025-27104?

CVE-2025-27104 is a low-severity vulnerability in vyper (CVSS 2.3). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.. A patch is available.

Is there a public PoC exploit available for CVE-2025-27104?

Yes, a public proof-of-concept exploit is available for CVE-2025-27104. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2025-27104?

During next maintenance window: Apply vendor patches when convenient. Vendor patch is available.

Vyper CVE-2025-27104

Q: What is the CVSS score of CVE-2025-27104?

CVE-2025-27104 has a CVSS 4.0 base score of 2.3 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.3%.

LOW

Improper Synchronization (CWE-662)

2025-02-21 security-advisories@github.com

Information Disclosure Vyper

2.3

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:27 vuln.today

Patch released

Mar 28, 2026 - 18:27 nvd

Patch available

PoC Detected

Mar 28, 2025 - 20:05 vuln.today

Public exploit code

CVE Published

Feb 21, 2025 - 22:15 nvd

LOW 2.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 pypi packages depend on vyper (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.4.1.

DescriptionNVD

vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. for s: uint256 in ([read(), read()] if True else [])) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the range() builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, range_scope forces iter_list to be parsed in a constant context, which is checked against is_constant). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, iter_list is instantiated in the body of a repeat ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.

AnalysisAI

vyper is a Pythonic Smart Contract Language for the EVM. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-662. vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. for s: uint256 in ([read(), read()] if True else [])) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the range() builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, range_scope forces iter_list to be parsed in a constant context, which is checked against is_constant). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, iter_list is instantiated in the body of a repeat ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability. Affected products include: Vyperlang Vyper. Version information: version 0.4.1..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-27104 vulnerability details – vuln.today

Back