CVE-2025-53906

MEDIUM EPSS 49.7%
Published Jul 15, 202511mo ago · Modified Jun 17, 20262w ago
4.1 CVSS 3.1
Medium
Find Similar
Published Jul 15, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.

CVSS Details

Base Score
4.1
Exploitability
1.0
Impact
2.7
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality None
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
49.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
vimvim* <9.1.1551

References 4

  • openwall.com http://www.openwall.com/lists/oss-security/2025/07/15/2
  • openwall.com http://www.openwall.com/lists/oss-security/2026/04/01/4
  • github.com https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8
    Patch
  • github.com https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8
    Patch