CVE-2025-21607 – The Vyper compiler fails to check success flags... (How to Fix)

Q: What is the severity of CVE-2025-21607?

CVE-2025-21607 has a CVSS score of 7.5 (HIGH). The Vyper compiler fails to check success flags when using EcRecover and Identity precompiles, allowing attackers to deliberately cause these calls to fail while letting execution continue with incorrect results. This affects smart contracts written in Vyper that use these precompiles. The impact is limited because failed precompiles leave minimal gas for subsequent execution.

📋 TL;DR

The Vyper compiler fails to check success flags when using EcRecover and Identity precompiles, allowing attackers to deliberately cause these calls to fail while letting execution continue with incorrect results. This affects smart contracts written in Vyper that use these precompiles. The impact is limited because failed precompiles leave minimal gas for subsequent execution.

💻 Affected Systems

Products:

Vyper Compiler

Versions: Versions before 0.4.1

Operating Systems: All platforms running Vyper

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects contracts using EcRecover (0x1) or Identity (0x4) precompiles. The compiler itself is vulnerable, not the runtime environment.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Smart contracts could produce incorrect execution results or state changes when attackers manipulate precompile failures, potentially leading to financial losses or incorrect contract behavior.

🟠

Likely Case

Limited impact due to gas constraints - only simple executions can follow failed precompiles, making sophisticated attacks unlikely in real-world contracts.

🟢

If Mitigated

No significant impact if contracts don't rely heavily on these precompiles or have proper gas management and error handling.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of EVM gas mechanics and targeting specific precompile calls. No real-world exploits have been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.1

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3

Restart Required: No

Instructions:

1. Update Vyper compiler to version 0.4.1 or later. 2. Recompile all affected smart contracts with the updated compiler. 3. Redeploy recompiled contracts to blockchain networks.

🔧 Temporary Workarounds

Avoid affected precompiles

all

Temporarily avoid using EcRecover (0x1) and Identity (0x4) precompiles in Vyper contracts until patched.

Manual gas management

all

Implement explicit gas checks and error handling around precompile calls in contract code.

🧯 If You Can't Patch

Audit contracts for use of EcRecover and Identity precompiles and implement additional validation
Implement monitoring for unexpected contract behavior or gas usage patterns

🔍 How to Verify

Check if Vulnerable:

Check Vyper compiler version with 'vyper --version'. If version is below 0.4.1, check if contracts use EcRecover or Identity precompiles.

Check Version:

vyper --version

Verify Fix Applied:

Verify compiler version is 0.4.1 or higher and recompile contracts. Test precompile functionality with various gas limits.

📡 Detection & Monitoring

Log Indicators:

Unexpected precompile failures in transaction receipts
Abnormal gas consumption patterns in contract executions

Network Indicators:

Transactions targeting contracts with specific gas limits to trigger precompile failures

SIEM Query:

Not applicable - blockchain transactions don't use traditional SIEM systems

📊 Metadata

CVE ID: CVE-2025-21607

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-670

EPSS Score: 0.14% exploit probability (34.1th percentile)

Published: January 14, 2025

Last Updated: April 24, 2025

🔗 References

https://github.com/vyperlang/vyper/commit/7136eab0a254aa2ff7ddca41cc05f2ee1fa99caf
https://github.com/vyperlang/vyper/pull/4451
https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3 Exploit,Vendor Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21607, you might also want to check these: