Which versions of Vyper are affected by CVE-2025-47285?

CVE-2025-47285 is a low-severity vulnerability in versions (CVSS 2.9). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.

How to fix or mitigate CVE-2025-47285?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Vyper CVE-2025-47285

Q: What is the CVSS score of CVE-2025-47285?

CVE-2025-47285 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Insufficient Control Flow Management (CWE-691)

2025-05-15 security-advisories@github.com

Information Disclosure

2.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:42 vuln.today

CVE Published

May 15, 2025 - 18:15 nvd

LOW 2.9

DescriptionNVD

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, concat() may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal b""; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. b"" if self.do_some_side_effect() else b"". The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.

AnalysisAI

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-691. Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, concat() may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal b""; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. b"" if self.do_some_side_effect() else b"". The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-47285 vulnerability details – vuln.today

Back