Which versions of Vyper are affected by CVE-2025-47774?

CVE-2025-47774 is a low-severity vulnerability in versions (CVSS 2.9). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.

How to fix or mitigate CVE-2025-47774?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Vyper CVE-2025-47774

Q: What is the CVSS score of CVE-2025-47774?

CVE-2025-47774 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

LOW

Insufficient Control Flow Management (CWE-691)

2025-05-15 security-advisories@github.com

Information Disclosure

2.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:42 vuln.today

CVE Published

May 15, 2025 - 18:15 nvd

LOW 2.9

DescriptionNVD

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the slice() builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (msg.data or <address>.code). The reason is that for these source locations, the check that length >= 1 is skipped. The result is that a 0-length bytestring constructed with slice can be passed to make_byte_array_copier, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the start argument may be elided when the length argument is 0, e.g. slice(msg.data, self.do_side_effect(), 0). The fix in pull request 4645 disallows any invocation of slice() with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.

AnalysisAI

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-691. Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the slice() builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (msg.data or <address>.code). The reason is that for these source locations, the check that length >= 1 is skipped. The result is that a 0-length bytestring constructed with slice can be passed to make_byte_array_copier, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the start argument may be elided when the length argument is 0, e.g. slice(msg.data, self.do_side_effect(), 0). The fix in pull request 4645 disallows any invocation of slice() with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2. Version information: version 0.4.2..

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-47774 vulnerability details – vuln.today

Back