CVE-2025-27104: Vyper has a double eval in For List Iter

February 21, 2025 (updated February 24, 2025)

Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. for s: uint256 in ([read(), read()] if True else [])) may interleave reads with writes in the loop body.

The fix is tracked in https://github.com/vyperlang/vyper/pull/4488.

References

github.com/advisories/GHSA-h33q-mhmp-8p67
github.com/vyperlang/vyper
github.com/vyperlang/vyper/pull/4488
github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67
nvd.nist.gov/vuln/detail/CVE-2025-27104

Detect and mitigate CVE-2025-27104 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →