CVE-2025-47285

EPSS 0.02%
Veröffentlicht 15.05.2025 17:24:03
Zuletzt bearbeitet 16.05.2025 14:43:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b""`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b"" if self.do_some_side_effect() else b""`. The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellervyperlang

≫

Produkt vyper

Version <= 0.4.2rc1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.056

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	2.9	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-691 Insufficient Control Flow Management

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

https://github.com/vyperlang/vyper/security/advisories/GHSA-qhr6-mgqr-mchm

https://github.com/vyperlang/vyper/pull/4644

https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562

https://nvd.nist.gov/vuln/detail/CVE-2025-47285

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-47285

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-47285

EUVD