CVE-2025-27104: Vyper has a double eval in For List Iter
Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. for s: uint256 in ([read(), read()] if True else [])
) may interleave reads with writes in the loop body.
The fix is tracked in https://github.com/vyperlang/vyper/pull/4488.
References
Detect and mitigate CVE-2025-27104 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →