Impact
the slice() builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (msg.data or <address>.code). the reason is that for these source locations, the check that length >= 1 is skipped:
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319
the result is that a 0-length bytestring constructed with slice can be passed to make_byte_array_copier, which elides evaluation of its source argument when the max length is 0:
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191
the impact is that side effects in the start argument may be elided when the length argument is 0, e.g. slice(msg.data, self.do_side_effect(), 0).
the following example illustrates how the issue would look in user code
counter: public(uint256)
@external
def test() -> Bytes[10]:
b: Bytes[10] = slice(msg.data, self.side_effect(), 0)
return b
def side_effect() -> uint256:
self.counter += 1
return 0
the severity assigned is low, since this is not a very useful pattern and unlikely to be found in user code.
Patches
the fix is tracked in https://github.com/vyperlang/vyper/pull/4645, which disallows any invocation of slice() with length 0, including for the ad hoc locations discussed in this advisory.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
References:- https://github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfm
- https://nvd.nist.gov/vuln/detail/CVE-2025-47774
- https://github.com/vyperlang/vyper/pull/4645
- https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319
- https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191
- https://github.com/advisories/GHSA-3vcg-j39x-cwfm