2.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-26622

GHSA ID

GHSA-2p94-8669-xg86

EPSS Score

0.17917%

CWE

CWE-682

Published

2/21/2025

Updated

2/24/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-26622

CVE-2025-26622: Vyper's sqrt doesn't define rounding behavior

Vyper's sqrt() builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results.

the fix is tracked in https://github.com/vyperlang/vyper/pull/4486

Vulnerability Details

Vyper injects the following code to handle calculation of decimal sqrt. x is the input provided by user.

assert x >= 0.0
z: decimal = 0.0

if x == 0.0:
    z = 0.0
else:
    z = x / 2.0 + 0.5
    y: decimal = x

    for i: uint256 in range(256):
        if z == y:
            break
        y = z
        z = (x / z + z) / 2.0

Notably, the terminal condition of the algorithm is either z_cur == z_prev, or the algorithm runs for 256 rounds.

However, for certain inputs, z might actually oscillate between N and N + epsilon, where N ** 2 <= x < (N + epsilon) ** 2. This means that the current behavior does not define whether it will round up or down to the nearest epsilon.

The example snippet here returns 0.9999999999, the rounded up result for sqrt(0.9999999998). This is due to the oscillation ending in N + epsilon instead of N.

@external
def test():
    d: decimal = 0.9999999998
    r: decimal = sqrt(d)    #this will be 0.9999999999

Note that sqrt() diverges from isqrt() here -- isqrt() consistently rounds down, so it is not subject to the same issue.

Impact Details

Since sqrt() can be used for determining boundary conditions, rounding down is preferred. However, since sqrt() is used very rarely in the wild, this advisory has been assigned an impact of low.

(GitHub Advisory)

2.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-26622

GHSA ID

GHSA-2p94-8669-xg86

EPSS Score

0.17917%

CWE

CWE-682

Published

2/21/2025

Updated

2/24/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vyper	pip	<= 0.4.0	0.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly affects Vyper's sqrt() builtin for decimals. The provided code snippet shows the vulnerable loop structure handling the calculation. The fix in PR #4486 modifies this specific sqrt implementation to enforce rounding down, and the test case added in tests/functional/codegen/types/numbers/test_sqrt.py directly targets this decimal sqrt behavior. Though the exact file path isn't explicitly stated, Vyper's architecture places built-in function implementations in files like vyper/builtin_functions/functions.py.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Vyp*r's `sqrt()` *uiltin us*s t** ***yloni*n m*t*o* to **l*ul*t* squ*r* roots o* ***im*ls. Un*ortun*t*ly, improp*r **n*lin* o* t** os*ill*tin* *in*l st*t*s m*y l*** to sqrt in*orr**tly r*turnin* roun*** up r*sults. t** *ix is tr**k** in *ttps://*it*

Reasoning

T** vuln*r**ility *xpli*itly *****ts Vyp*r's sqrt() *uiltin *or ***im*ls. T** provi*** *o** snipp*t s*ows t** vuln*r**l* loop stru*tur* **n*lin* t** **l*ul*tion. T** *ix in PR #**** mo*i*i*s t*is sp**i*i* sqrt impl*m*nt*tion to *n*or** roun*in* *own,

2.3

Basic Information

Concerned about an active attack path?

CVE-2025-26622: Vyper's sqrt doesn't define rounding behavior

Vulnerability Details

Impact Details

2.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI