CVE-2025-27423

Improper Input Validation in Vim

CVSS 7.1 HIGHEPSS 20.8%CWE-77

In short

Vim's tar.vim plugin executes unintended shell commands when opening specially crafted tar files because it doesn't validate filenames before using them in commands. An attacker can trick users into opening malicious tar archives to run arbitrary code on their system.

Technical detail

CWE-77 improper input validation vulnerability in tar.vim plugin (Vim 9.1.0858+) where unsanitized filenames from tar archives are passed directly to the ':read' ex command, allowing shell command injection depending on the configured shell. The attack requires user interaction to open a malicious tar file, but successful exploitation results in arbitrary code execution with user privileges.

Summary generated and translated by AI from the official description.

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products

vim · vim

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vim/vim/commit/129a8446d23cd9cb4445fcfea259cba5e0487d29 https://github.com/vim/vim/commit/334a13bff78aa0ad206bc436885f63e3a0bab399 https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3 https://security.netapp.com/advisory/ntap-20250502-0002/