CVE-2025-27104

CVE-2025-27104 is a vulnerability in vyper, a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). It enables multiple evaluations of a single expression in the iterator target of a for loop, allowing the iterator to consume side effects produced in the loop body, such as reading a storage variable updated during iteration. This can lead to unexpected program behavior, particularly with iterators containing if expressions (e.g., `for s: uint256 in ([read(), read()] if True else [])`) or SArrays, where the iterator list is instantiated in a `repeat` IR and re-evaluated multiple times. Vyper's codegen enforces constant context for iterable lists like range() but fails to prevent side-effect consumption from the loop body.

Remote attackers require no privileges (PR:N) and can exploit the vulnerability over the network (AV:N) by interacting with deployed smart contracts compiled using affected vyper versions that contain vulnerable for loops. Triggering such loops causes interleaved reads and writes, potentially resulting in incorrect contract execution or state manipulation. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) highlights high availability impact due to disrupted program flow, with associated CWEs including CWE-662 (Component with Excessive Influence).

The vyper security advisory (GHSA-h33q-mhmp-8p67) and pull request #4488 state that the issue is addressed in version 0.4.1. Users are advised to upgrade to the patched release as soon as available, with no known workarounds.