CVE-2025-27104 – This vulnerability in Vyper smart contract lang... (How to Fix)

📋 TL;DR

This vulnerability in Vyper smart contract language allows multiple evaluation of iterator expressions in for loops, enabling side-effect consumption where reads in iterators can interleave with writes in loop bodies. This leads to unexpected program behavior and potential logic manipulation in smart contracts. All Vyper users writing smart contracts for EVM blockchains are affected.

💻 Affected Systems

Products:

vyper

Versions: All versions before 0.4.1

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects contracts using for loops with iterable types (SArray/DArray) containing ifexp expressions in iterators.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Smart contract logic manipulation leading to unauthorized fund transfers, contract state corruption, or denial of service in critical DeFi applications.

🟠

Likely Case

Unexpected contract behavior causing incorrect calculations, failed transactions, or minor financial losses in less critical applications.

🟢

If Mitigated

Limited impact if contracts don't use vulnerable iterator patterns or are deployed on testnets only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific vulnerable code patterns in smart contracts; not all Vyper contracts are vulnerable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.1

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67

Restart Required: No

Instructions:

1. Upgrade Vyper to version 0.4.1 or later using pip: pip install vyper>=0.4.1
2. Recompile all existing smart contracts with the patched version
3. Redeploy contracts if they were deployed with vulnerable versions

🔧 Temporary Workarounds

Avoid vulnerable iterator patterns

all

Manually review and refactor code to avoid using ifexp expressions in iterator targets of for loops with SArray/DArray iterables.

🧯 If You Can't Patch

Audit all smart contracts for vulnerable iterator patterns and refactor them
Limit deployment of new contracts and monitor existing ones for unexpected behavior

🔍 How to Verify

Check if Vulnerable:

Check if any smart contracts use patterns like: for s: uint256 in ([read(), read()] if True else []) with SArray/DArray iterables

Check Version:

vyper --version

Verify Fix Applied:

Verify Vyper version is 0.4.1 or higher: vyper --version

📡 Detection & Monitoring

Log Indicators:

Unexpected contract state changes
Failed transactions with gas estimation errors
Contract behavior deviating from expected logic

Network Indicators:

Unusual transaction patterns to vulnerable contracts
Increased failed transactions on specific contracts

SIEM Query:

Not applicable for smart contract vulnerabilities

📊 Metadata

CVE ID: CVE-2025-27104

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-662

EPSS Score: 0.31% exploit probability (53.7th percentile)

Published: February 21, 2025

Last Updated: March 28, 2025

🔗 References

https://github.com/vyperlang/vyper/pull/4488 Issue Tracking,Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27104, you might also want to check these: