AugAssign evaluation order causing OOB write within the object in Vyper

GHSA-4w26-8p97-f4jp · CVE-2025-27105 · PYSEC-2025-31

Published Feb 21, 2025 · Modified Apr 9, 2025

Description

Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. In other words, the following code

def poc():
    a: DynArray[uint256, 2] = [1, 2]
    a[1] += a.pop()

is equivalent to:

def poc():
    a: DynArray[uint256, 2] = [1, 2]
    a[1] += a[len(a) - 1]
    a.pop()

rather than:

def poc():
    a: DynArray[uint256, 2] = [1, 2]
    s: uint256 = a[1]
    t: uint256 = a.pop()
    a[1] = s + t  # reverts due to oob access

References

WEB https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-27105
WEB https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-31.yaml
PACKAGE https://github.com/vyperlang/vyper

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes