A newly discovered vulnerability in the popular text editor Vim could allow malicious actors to execute arbitrary code on unsuspecting users’ systems. The flaw, tracked as CVE-2025-27423, resides within the tar.vim plugin, which is distributed with Vim and allows users to easily view and edit tar archives.
Vim, a powerful and highly configurable text editor, is widely used by developers and system administrators. However, a recent security advisory from the Vim project has highlighted a critical flaw that users need to address promptly.
The issue stems from a change introduced in commit 129a844 (November 11, 2024), which aimed to enhance tar.vim’s functionality by adding support for permissions. However, this update inadvertently introduced a security risk.
According to the Vim project’s advisory, “Since commit 129a844 (Nov 11, 2024 runtime(tar): Update tar.vim to support permissions), the tar.vim plugin uses the ‘:read’ ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives.”
Essentially, malicious actors can craft specially designed tar files that, when opened with Vim, can execute shell commands due to the lack of proper sanitization of filenames.
The severity of this vulnerability is rated as high, with a CVSS score of 7.1. The advisory notes, “Impact is high but a user must be convinced to edit such a file using Vim which will reveal the filename, so a careful user may suspect some strange things going on.” This means that while the potential for harm is significant, users can mitigate the risk by exercising caution when opening tar files from untrusted sources.
The Vim project has released patch v9.1.1164, which addresses CVE-2025-27423. Users are strongly advised to update their Vim installations to this version or later immediately.
Related Posts:
- Sublime, Vim, Emacs, Gedit, pico/nano text editor exisit privilege escalation vulnerability
- Discourse file upload bug could lead to RCE attacks
