CVE-2025-21607: Low Vulnerability in Vyper Vyper

The vulnerability identified as CVE-2025-21607 affects Vyper, a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). This vulnerability allows attackers to exploit the precompiles EcRecover (0x1) and Identity (0x4) due to the lack of a success flag check during the Vyper compilation process. If an attacker provides a specific amount of gas, these calls can fail while allowing the overall execution to continue. Consequently, the execution results may be incorrect. According to EVM rules, after a failed precompile, the remaining code can only use 1/64 of the pre-call gas, limiting the complexity of subsequent executions. Despite these flaws, no significantly impacted real-world contracts have been identified, leading to the advisory being issued out of an abundance of caution. The issue has been addressed in version 0.4.1 of Vyper.

The severity level of this vulnerability is categorized as low, with a CVSS score of 2.3. This score emphasizes the low exploitation potential and impact on confidentiality. Nevertheless, the integrity impact is classified as low, indicating that while the vulnerability exists, its real-world implications are limited. Organizations utilizing Vyper should be aware of this vulnerability and take appropriate measures to apply the necessary patches to maintain the integrity of their smart contracts.

Given the nature of this vulnerability, organizations should prioritize patching immediately. The potential for incorrect execution results, albeit low in real-world impact, necessitates a proactive approach to security. It is crucial for organizations to regularly monitor their systems for updates and ensure that they are using the latest version of Vyper to mitigate any associated risks.

For further information and guidance, organizations may refer to the advisories published by Vyper, which outline the details of this vulnerability and the steps needed to remediate it.