CVE-2025-27104

HighPublic PoC

Published: 21 February 2025

Published

21 February 2025

Modified

28 March 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0032 55.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27104 is a high-severity Improper Synchronization (CWE-662) vulnerability in Vyperlang Vyper. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of flaws like CVE-2025-27104 in the Vyper compiler, preventing compilation and deployment of smart contracts with unexpected iterator behavior.

SI-5 Security Alerts, Advisories, and Directives partial match

detectrespond

SI-5 ensures receipt and implementation of security advisories such as GHSA-h33q-mhmp-8p67 for CVE-2025-27104, enabling prompt response to upgrade vulnerable Vyper versions.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 requires vulnerability scanning and monitoring of development tools like Vyper to identify CVE-2025-27104 and initiate remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote, unauthenticated interaction with deployed smart contracts to trigger unexpected execution and state issues, directly aligning with exploitation of public-facing applications.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced…

in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.

Deeper analysisAI

CVE-2025-27104 is a vulnerability in vyper, a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). It enables multiple evaluations of a single expression in the iterator target of a for loop, allowing the iterator to consume side effects produced in the loop body, such as reading a storage variable updated during iteration. This can lead to unexpected program behavior, particularly with iterators containing if expressions (e.g., `for s: uint256 in ([read(), read()] if True else [])`) or SArrays, where the iterator list is instantiated in a `repeat` IR and re-evaluated multiple times. Vyper's codegen enforces constant context for iterable lists like range() but fails to prevent side-effect consumption from the loop body.

Remote attackers require no privileges (PR:N) and can exploit the vulnerability over the network (AV:N) by interacting with deployed smart contracts compiled using affected vyper versions that contain vulnerable for loops. Triggering such loops causes interleaved reads and writes, potentially resulting in incorrect contract execution or state manipulation. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) highlights high availability impact due to disrupted program flow, with associated CWEs including CWE-662 (Component with Excessive Influence).

The vyper security advisory (GHSA-h33q-mhmp-8p67) and pull request #4488 state that the issue is addressed in version 0.4.1. Users are advised to upgrade to the patched release as soon as available, with no known workarounds.

Details

CWE(s): CWE-662 NVD-CWE-noinfo

Affected Products

vyperlang

vyper

≤ 0.4.1

CVEs Like This One

CVE-2025-26622Same product: Vyperlang Vyper

CVE-2025-27105Same product: Vyperlang Vyper

CVE-2025-21607Same product: Vyperlang Vyper

CVE-2026-28789Shared CWE-662

References

https://github.com/vyperlang/vyper/pull/4488
Issue Tracking, Patch · security-advisories@github.com
https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67
Exploit, Vendor Advisory · security-advisories@github.com