{"id":"CVE-2025-47774","summary":"Vyper's `slice()` may elide side-effects when output length is 0","details":"Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `\u003caddress\u003e.code`). The reason is that for these source locations, the check that `length \u003e= 1` is skipped. The result is that a 0-length bytestring constructed with slice can be passed to `make_byte_array_copier`, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the `start` argument may be elided when the `length` argument is 0, e.g. `slice(msg.data, self.do_side_effect(), 0)`. The fix in pull request 4645 disallows any invocation of `slice()` with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.","aliases":["GHSA-3vcg-j39x-cwfm"],"modified":"2026-04-10T05:27:30.785413Z","published":"2025-05-15T17:38:58.487Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47774.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-691"]},"references":[{"type":"WEB","url":"https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319"},{"type":"WEB","url":"https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47774.json"},{"type":"ADVISORY","url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47774"},{"type":"FIX","url":"https://github.com/vyperlang/vyper/pull/4645"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vyperlang/vyper","events":[{"introduced":"0"},{"last_affected":"11522b836bd0d86cf43ec186aa3b2b8e986ca4fe"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.4.2rc1"}]}}],"versions":["0.2.1","pre-release","v0.0.4","v0.1.0-beta.1","v0.1.0-beta.10","v0.1.0-beta.11","v0.1.0-beta.12","v0.1.0-beta.13","v0.1.0-beta.14","v0.1.0-beta.15","v0.1.0-beta.16","v0.1.0-beta.17","v0.1.0-beta.2","v0.1.0-beta.3","v0.1.0-beta.5","v0.1.0-beta.6","v0.1.0-beta.7","v0.1.0-beta.8","v0.1.0-beta.9","v0.2.0","v0.2.1","v0.2.10","v0.2.11","v0.2.12","v0.2.13","v0.2.14","v0.2.15","v0.2.16","v0.2.2","v0.2.3","v0.2.4","v0.2.5","v0.2.6","v0.2.7","v0.2.8","v0.2.9","v0.3.0","v0.3.1","v0.3.10","v0.3.10rc1","v0.3.10rc2","v0.3.10rc3","v0.3.10rc4","v0.3.10rc5","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.3.7","v0.3.8","v0.3.9","v0.4.0","v0.4.0b1","v0.4.0b2","v0.4.0b3","v0.4.0b4","v0.4.0b5","v0.4.0b6","v0.4.0rc1","v0.4.0rc2","v0.4.0rc3","v0.4.0rc4","v0.4.0rc5","v0.4.0rc6","v0.4.1","v0.4.1b1","v0.4.1b2","v0.4.1b3","v0.4.1b4","v0.4.1rc1","v0.4.1rc2","v0.4.1rc3","v0.4.2rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47774.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}]}