CVE-2025-47774: 
Python vulnerability analysis and mitigation

Vyper, a Pythonic Programming Language for the Ethereum Virtual Machine, contains a vulnerability in versions up to and including 0.4.2rc1. The vulnerability was discovered and disclosed on May 15, 2025, and involves the slice() builtin function which can elide side effects when the output length is 0 and the source bytestring is a builtin (msg.data or .code). The vulnerability has been assigned CVE-2025-47774 with a CVSS v4.0 score of 2.9 (LOW) (GitHub Advisory, NVD).

The vulnerability stems from a skipped length validation check in the slice() builtin function when handling ad-hoc locations. For these source locations, the check that length >= 1 is bypassed, allowing a 0-length bytestring to be constructed with slice and passed to makebytearray_copier. The vulnerability is classified under CWE-691 (Insufficient Control Flow Management). The issue occurs because the length validation check is only performed for non-adhoc slice operations, leaving a gap in validation for certain source locations (GitHub Advisory).

The primary impact is that side effects in the start argument may be elided when the length argument is 0. For example, in an expression like slice(msg.data, self.do_side_effect(), 0), the side effect function may not be executed as expected. The severity is considered low as this pattern is not commonly used in practical applications and is unlikely to be found in typical user code (GitHub Advisory).

A fix has been implemented in pull request #4645, which disallows any invocation of slice() with length 0, including for the ad hoc locations. This fix is expected to be included in version 0.4.2. Until the patch is available, users should ensure that all calls to the slice() function use a length greater than 0 (GitHub Advisory).