CVE-2025-47774

Name of the Vulnerable Software and Affected Versions: Vyper versions up to and including 0.4.2rc1

Description: The issue concerns the slice() builtin in Vyper, which can elide side effects when the output length is 0 and the source bytestring is a builtin, such as msg.data or <address>.code. This occurs because the check for length >= 1 is skipped for these source locations. As a result, a 0-length bytestring constructed with slice() can be passed to make byte array copier, which elides evaluation of its source argument when the max length is 0. This can lead to side effects in the start argument being elided when the length argument is 0.

Recommendations: For versions up to and including 0.4.2rc1, consider updating to version 0.4.2, which is expected to include the fix that disallows any invocation of slice() with length 0. As a temporary workaround, avoid using the slice() function with a length of 0, especially when the source is msg.data or <address>.code, to prevent potential side effects from being elided.