What is the severity of CVE-2025-47285?

CVE-2025-47285 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-47285?

No known public exploits are currently available for CVE-2025-47285.

Is there a patch available for CVE-2025-47285?

No official patches have been released yet for CVE-2025-47285. Consider implementing workarounds or mitigations.

CVE-2025-47285 - CVE Details, Severity, and Analysis

Q: What is CVE-2025-47285?

### Impact `concat()` may skip evaluation of side effects when the length of an argument is zero. this is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero: https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562 in practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b""`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b"" if self.do_some_side_effect() else b""`. the following example demonstrates how the issue would look in user code ```vyper counter: public(uint256) @external def test() -> Bytes[256]: a: Bytes[256] = concat(b"" if self.sideeffect() else b"", b"aaaa") return a def sideeffect() -> bool: self.counter += 1 return True ``` the severity assigned is low, since, as mentioned, this would be a very unusual pattern in user-code. ### Patches fix is tracked in https://github.com/vyperlang/vyper/pull/4644 ### Workarounds don't have side effects in expressions which construct zero-length bytestrings. ### References _Are there any links users can visit to find out more?_

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

No

Patch

Medium Priority

no patch

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

concat() may skip evaluation of side effects when the length of an argument is zero. this is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero: https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L560-L562

in practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal b""; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. b"" if self.do_some_side_effect() else b"".

the following example demonstrates how the issue would look in user code

counter: public(uint256)

@external
def test() -> Bytes[256]:
    a: Bytes[256] = concat(b"" if self.sideeffect() else b"", b"aaaa")
    return a

def sideeffect() -> bool:
    self.counter += 1
    return True

the severity assigned is low, since, as mentioned, this would be a very unusual pattern in user-code.

Patches

fix is tracked in https://github.com/vyperlang/vyper/pull/4644

Workarounds

don't have side effects in expressions which construct zero-length bytestrings.

References

Are there any links users can visit to find out more?

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-