CVE-2025-53905

MEDIUM EPSS 15.2%
Published Jul 15, 202511mo ago · Modified Jun 17, 20262w ago
4.1 CVSS 3.1
Medium
Find Similar
Published Jul 15, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.

CVSS Details

Base Score
4.1
Exploitability
1.0
Impact
2.7
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality None
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
15.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
vimvim* <9.1.1552

References 3

  • openwall.com http://www.openwall.com/lists/oss-security/2025/07/15/1
  • github.com https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239
    Patch
  • github.com https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239
    Patch