CVE-2025-47285: 
Python vulnerability analysis and mitigation

Vyper, the Pythonic Programming Language for the Ethereum Virtual Machine, contains a vulnerability in versions up to and including 0.4.2rc1 where the concat() builtin function may skip evaluation of side effects when the length of an argument is zero. The vulnerability was discovered and disclosed on May 15, 2025, and has been assigned CVE-2025-47285 (GitHub Advisory, NVD).

The vulnerability stems from a fastpath implementation in the concat() function that skips evaluation of argument expressions when their length is zero. This occurs due to a code section that explicitly ignores empty strings when arg.typ.maxlen equals 0. The issue primarily affects code using the ternary operator introduced in v0.3.8, where zero-length bytestrings are constructed with side effects, such as b"" if self.dosomeside_effect() else b"". The vulnerability has been assigned a CVSS v4.0 score of 2.9 (LOW) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P (Wiz).

The impact of this vulnerability is considered low since it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects. Typically, zero-length bytestrings are constructed with the empty literal b"". However, in cases where side effects are intended in such constructions, the expected side effects may not occur, potentially leading to unexpected behavior in smart contracts (GitHub Advisory).

As a temporary workaround, developers are advised not to have side effects in expressions which construct zero-length bytestrings. A permanent fix is available in pull request 4644 and is expected to be included in the 0.4.2 release. The fix removes the fastpath implementation that caused the side effect elimination (GitHub PR, GitHub Advisory).