CVE-2025-53906
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
Lifecycle Timeline
4Tags
Description
Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
Analysis
Path traversal in Vim's zip.vim plugin prior to version 9.1.1551 allows local attackers to overwrite arbitrary files when a user opens a specially crafted zip archive, potentially enabling arbitrary command execution if sensitive files or privileged locations are targeted. The vulnerability requires direct user interaction (opening a malicious zip file in Vim) and has low real-world impact due to high attack complexity and local attack vector, though publicly available exploit code exists. EPSS exploitation probability is minimal at 0.03% (7th percentile), reflecting the friction imposed by user interaction requirements.
Technical Context
Vim's zip.vim plugin (a built-in script for handling zip archive operations within the editor) fails to properly validate file paths when extracting or processing contents from zip files, violating CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). When a user opens a crafted zip archive containing path traversal sequences (e.g., '../' entries), the plugin writes files outside the intended extraction directory. This affects all versions of Vim prior to 9.1.1551 across all platforms and distributions covered by the affected CPE cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*. The underlying issue stems from insufficient sanitization of extracted file paths before filesystem operations.
Affected Products
Vim versions prior to 9.1.1551 are affected across all platforms and distributions. This includes the stable Vim 9.x line, the legacy 8.2 series, and earlier versions. The vendor advisory (GitHub GHSA-r2fw-9cw4-mj86) provides detailed guidance on affected releases. Patched version 9.1.1551 is available from the official Vim repository and package managers. The breadth of affected products is limited to Vim itself; third-party applications embedding Vim or using similar zip-handling logic may have analogous vulnerabilities but are not directly referenced in this CVE.
Remediation
Upgrade Vim to version 9.1.1551 or later, which contains the upstream fix committed to the official repository (commit 586294a04179d855c3d1d4ee5ea83931963680b8). For users unable to immediately upgrade, avoid opening untrusted or suspicious zip archives in Vim; instead, use alternative tools (unzip, 7-Zip, archive managers) for extracting and inspecting zip contents before processing in the editor. The fix is available via standard channels: official Vim releases, GitHub releases, and most Linux distribution package managers. Refer to the GitHub security advisory (GHSA-r2fw-9cw4-mj86) for platform-specific installation guidance and verification steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today