CVE-2025-47285: Vyper's `concat()` builtin may elide side-effects for zero-length arguments
concat() may skip evaluation of side effects when the length of an argument is zero. this is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero:
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562
in practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal b""; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. b"" if self.do_some_side_effect() else b"".
the following example demonstrates how the issue would look in user code
counter: public(uint256)
@external
def test() -> Bytes[256]:
a: Bytes[256] = concat(b"" if self.sideeffect() else b"", b"aaaa")
return a
def sideeffect() -> bool:
self.counter += 1
return True
the severity assigned is low, since, as mentioned, this would be a very unusual pattern in user-code.
References
- github.com/advisories/GHSA-qhr6-mgqr-mchm
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py
- github.com/vyperlang/vyper/pull/4644
- github.com/vyperlang/vyper/security/advisories/GHSA-qhr6-mgqr-mchm
- nvd.nist.gov/vuln/detail/CVE-2025-47285
Code Behaviors & Features
Detect and mitigate CVE-2025-47285 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →