cvelistv5 - cve-2025-27104

cve-2025-27104

Vulnerability from cvelistv5

Published

2025-02-21 21:32

Modified

2025-02-21 21:32

Severity ?

2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/vyperlang/vyper/pull/4488
	security-advisories@github.com	https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67

Impacted products

	Vendor	Product	Version
	vyperlang	vyper	Version: < 0.4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "vyper",
          "vendor": "vyperlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-662",
              "description": "CWE-662: Improper Synchronization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-21T21:32:24.621Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67"
        },
        {
          "name": "https://github.com/vyperlang/vyper/pull/4488",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vyperlang/vyper/pull/4488"
        }
      ],
      "source": {
        "advisory": "GHSA-h33q-mhmp-8p67",
        "discovery": "UNKNOWN"
      },
      "title": "double eval in For List Iter in Vyper"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27104",
    "datePublished": "2025-02-21T21:32:24.621Z",
    "dateReserved": "2025-02-18T16:44:48.765Z",
    "dateUpdated": "2025-02-21T21:32:24.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27104\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-21T22:15:13.773\",\"lastModified\":\"2025-02-21T22:15:13.773\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"LOW\",\"vulnerableSystemIntegrity\":\"LOW\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"NONE\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-662\"}]}],\"references\":[{\"url\":\"https://github.com/vyperlang/vyper/pull/4488\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

ghsa-h33q-mhmp-8p67

Vulnerability from github

Published

2025-02-21 22:43

Modified

2025-02-21 22:43

Summary

Vyper has a double eval in For List Iter

Details

Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. for s: uint256 in ([read(), read()] if True else [])) may interleave reads with writes in the loop body.

The fix is tracked in https://github.com/vyperlang/vyper/pull/4488.

Vulnerability Details

Vyper for loops allow two kinds of iterator targets, namely the range() builtin and an iterable type, like SArray and DArray.

During codegen, iterable lists are required to not produce any side-effects (in the following code, range_scope forces iter_list to be parsed in a constant context, which is checked against is_constant).

```python def _parse_For_list(self): with self.context.range_scope(): iter_list = Expr(self.stmt.iter, self.context).ir_node ...

def range_scope(self): prev_value = self.in_range_expr self.in_range_expr = True yield self.in_range_expr = prev_value

def is_constant(self): return self.constancy is Constancy.Constant or self.in_range_expr ```

However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For dynamic arrays, the compiler simply panics: ```vyper x: DynArray[uint256, 3]

@external def test(): for i: uint256 in (self.usesideeffect() if True else self.usesideeffect()): pass

@view def usesideeffect() -> DynArray[uint256, 3]: return self.x ```

For SArrays on the other hand, iter_list is instantiated in the body of a repeat ir, so it can be evaluated several times.

Here are three illustrating examples. In the first example, the following test case pre-evaluates the iter list and stores the result to a temporary list in memory. So the list is only evaluated once, before entry into the loop body, and the log output will be 0, 0, 0. ```vyper event I: i: uint256

x: uint256

@deploy def init(): self.x = 0

@external def test(): for i: uint256 in [self.usesideeffect(), self.usesideeffect(), self.usesideeffect()]: self.x += 1 log I(i)

@view def usesideeffect() -> uint256: return self.x ```

However, in the next two examples, because the iterator target is not a list literal, it will be evaluated in the loop body. In the second example, iter_list is an ifexp, thus it will be evaluated lazily in the loop body. The log output will be 0, 1, 2 due to consumption of side effects.

```vyper event I: i: uint256

x: uint256

@deploy def init(): self.x = 0

@external def test(): for i: uint256 in ([self.usesideeffect(), self.usesideeffect(), self.usesideeffect()] if True else self.otherclause()): self.x += 1 log I(i)

@view def usesideeffect() -> uint256: return self.x

@view def otherclause() -> uint256[3]: return [0, 0, 0] ```

In the third example, iter_list is also an ifexp, thus it will only be evaluated in the loop body. The log output will be 0, 1, 2 due to consumption of side effects.

```vyper event I: i: uint256

x: uint256[3]

@deploy def init(): self.x = [0, 0, 0]

@external def test(): for i: uint256 in (self.usesideeffect() if True else self.otherclause()): self.x[0] += 1 self.x[1] += 1 self.x[2] += 1 log I(i)

@view def usesideeffect() -> uint256[3]: return self.x

@view def otherclause() -> uint256[3]: return [0, 0, 0] ```

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27104"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-21T22:43:36Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body.\n\nThe fix is tracked in https://github.com/vyperlang/vyper/pull/4488.\n\n### Vulnerability Details\n\nVyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. \n\nDuring codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`).\n\n```python\ndef _parse_For_list(self):\n    with self.context.range_scope():\n        iter_list = Expr(self.stmt.iter, self.context).ir_node\n    ...\n\ndef range_scope(self):\n    prev_value = self.in_range_expr\n    self.in_range_expr = True\n    yield\n    self.in_range_expr = prev_value\n\ndef is_constant(self):\n    return self.constancy is Constancy.Constant or self.in_range_expr\n```\n\nHowever, this does not prevent the iterator from consuming side effects provided by the body of the loop. For dynamic arrays, the compiler simply panics:\n```vyper\nx: DynArray[uint256, 3]\n\n@external\ndef test():\n    for i: uint256 in (self.usesideeffect() if True else self.usesideeffect()):\n        pass\n\n@view\ndef usesideeffect() -\u003e DynArray[uint256, 3]:\n    return self.x\n```\n\nFor SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times.\n\nHere are three illustrating examples. In the first example, the following test case pre-evaluates the iter list and stores the result to a temporary list in memory. So the list is only evaluated once, before entry into the loop body, and the log output will be 0, 0, 0.\n```vyper\nevent I:\n    i: uint256\n\nx: uint256\n\n@deploy\ndef __init__():\n    self.x = 0\n\n@external\ndef test():\n    for i: uint256 in [self.usesideeffect(), self.usesideeffect(), self.usesideeffect()]:\n        self.x += 1\n        log I(i)\n\n@view\ndef usesideeffect() -\u003e uint256:\n    return self.x\n```\n\nHowever, in the next two examples, because the iterator target is not a list literal, it will be evaluated in the loop body. In the second example, `iter_list` is an ifexp, thus it will be evaluated lazily in the loop body. The log output will be 0, 1, 2 due to consumption of side effects.\n\n```vyper\nevent I:\n    i: uint256\n\nx: uint256\n\n@deploy\ndef __init__():\n    self.x = 0\n\n@external\ndef test():\n    for i: uint256 in ([self.usesideeffect(), self.usesideeffect(), self.usesideeffect()] if True else self.otherclause()):\n        self.x += 1\n        log I(i)\n\n@view\ndef usesideeffect() -\u003e uint256:\n    return self.x\n\n@view\ndef otherclause() -\u003e uint256[3]:\n    return [0, 0, 0]\n```\n\nIn the third example, `iter_list` is also an ifexp, thus it will only be evaluated in the loop body. The log output will be 0, 1, 2 due to consumption of side effects.\n\n```vyper\nevent I:\n    i: uint256\n\nx: uint256[3]\n\n@deploy\ndef __init__():\n    self.x = [0, 0, 0]\n\n@external\ndef test():\n    for i: uint256 in (self.usesideeffect() if True else self.otherclause()):\n        self.x[0] += 1\n        self.x[1] += 1\n        self.x[2] += 1\n        log I(i)\n\n@view\ndef usesideeffect() -\u003e uint256[3]:\n    return self.x\n\n@view\ndef otherclause() -\u003e uint256[3]:\n    return [0, 0, 0]\n```",
  "id": "GHSA-h33q-mhmp-8p67",
  "modified": "2025-02-21T22:43:36Z",
  "published": "2025-02-21T22:43:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/4488"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Vyper has a double eval in For List Iter"
}

fkie_cve-2025-27104

Vulnerability from fkie_nvd

Published

2025-02-21 22:15

Modified

2025-02-21 22:15

Severity ?

2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/vyperlang/vyper/pull/4488
	security-advisories@github.com	https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability."
    }
  ],
  "id": "CVE-2025-27104",
  "lastModified": "2025-02-21T22:15:13.773",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "automatable": "NOT_DEFINED",
          "availabilityRequirements": "NOT_DEFINED",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityRequirements": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirements": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubsequentSystemAvailability": "NOT_DEFINED",
          "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
          "modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnerableSystemAvailability": "NOT_DEFINED",
          "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
          "modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "recovery": "NOT_DEFINED",
          "safety": "NOT_DEFINED",
          "subsequentSystemAvailability": "NONE",
          "subsequentSystemConfidentiality": "NONE",
          "subsequentSystemIntegrity": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "vulnerableSystemAvailability": "NONE",
          "vulnerableSystemConfidentiality": "LOW",
          "vulnerableSystemIntegrity": "LOW"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-21T22:15:13.773",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/vyperlang/vyper/pull/4488"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-662"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2025-27104

Vulnerability from cvelistv5

ghsa-h33q-mhmp-8p67

Vulnerability from github

Vulnerability Details

fkie_cve-2025-27104

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature