Описание
Vyper's slice() may elide side-effects when output length is 0
Impact
the slice() builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (msg.data or <address>.code). the reason is that for these source locations, the check that length >= 1 is skipped:
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319
the result is that a 0-length bytestring constructed with slice can be passed to make_byte_array_copier, which elides evaluation of its source argument when the max length is 0:
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191
the impact is that side effects in the start argument may be elided when the length argument is 0, e.g. slice(msg.data, self.do_side_effect(), 0).
the following example illustrates how the issue would look in user code
the severity assigned is low, since this is not a very useful pattern and unlikely to be found in user code.
Patches
the fix is tracked in https://github.com/vyperlang/vyper/pull/4645, which disallows any invocation of slice() with length 0, including for the ad hoc locations discussed in this advisory.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
Ссылки
- https://github.com/vyperlang/vyper/security/advisories/GHSA-3vcg-j39x-cwfm
- https://nvd.nist.gov/vuln/detail/CVE-2025-47774
- https://github.com/vyperlang/vyper/pull/4645
- https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319
- https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191
Пакеты
vyper
<= 0.4.2rc1
Отсутствует
Связанные уязвимости
Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `<address>.code`). The reason is that for these source locations, the check that `length >= 1` is skipped. The result is that a 0-length bytestring constructed with slice can be passed to `make_byte_array_copier`, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the `start` argument may be elided when the `length` argument is 0, e.g. `slice(msg.data, self.do_side_effect(), 0)`. The fix in pull request 4645 disallows any invocation of `slice()` with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.