CVE-2025-47285
CVE-2025-47285 is a low-severity vulnerability with a CVSS 4.0 base score of 2.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-691.
Key facts
- Severity: Low (CVSS 4.0 base score 2.9)
- EPSS exploit prediction: 0% (29th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-15445
- Weakness: CWE-691
- Published:
- Last modified:
Description
Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b""`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b"" if self.do_some_side_effect() else b""`. The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.
Frequently asked questions
- What is CVE-2025-47285?
- Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b""`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b"" if self.do_some_side_effect() else b""`. The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.
- How severe is CVE-2025-47285?
- CVE-2025-47285 has a CVSS 4.0 base score of 2.9, rated low severity.
- Is CVE-2025-47285 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (29th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-47285?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-47285 have an EU (EUVD) identifier?
- Yes. CVE-2025-47285 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-15445.
- When was CVE-2025-47285 published?
- CVE-2025-47285 was published on 2025-05-15 and last updated on 2026-06-17.
References
- https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562
- https://github.com/vyperlang/vyper/pull/4644
- https://github.com/vyperlang/vyper/security/advisories/GHSA-qhr6-mgqr-mchm
Other CWE-691 vulnerabilities
- CVE-2023-20559 — High (CVSS 8.8): Insufficient control flow management in AmdCpmGpioInitSmm may allow a privileged attacker to tamper with the SMM…
- CVE-2025-25273 — High (CVSS 7.8): Insufficient control flow management in the Linux kernel-mode driver for some Intel(R) 700 Series Ethernet before…
- CVE-2025-22893 — High (CVSS 7.8): Insufficient control flow management in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before…
- CVE-2021-4106 — High (CVSS 7.8): A vulnerability in Snow Inventory Java Scanner allows an attacker to run malicious code at a higher level of…
- CVE-2025-35963 — High (CVSS 7.4): Insufficient control flow management for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160…
- CVE-2025-24305 — High (CVSS 7.2): Insufficient control flow management in the Alias Checking Trusted Module (ACTM) firmware for some Intel(R) Xeon(R)…