Vulnerability Details : CVE-2025-27423

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164
Published 2025-03-03 16:30:20
Updated 2025-03-03 17:15:16
Source GitHub, Inc.
View at NVD,   CVE.org

Products affected by CVE-2025-27423

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2025-27423

EPSS FAQ
0.07%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2025-27423

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.1
 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
N/A
N/A
 GitHub, Inc. 2025-03-03
7.1
 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1.8
5.2
 GitHub, Inc. 2025-03-03

CWE ids for CVE-2025-27423

  • The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
    Assigned by:
    • a0819718-46f1-4df5-94e2-005712e83aaa (Primary)
    • security-advisories@github.com (Primary)

References for CVE-2025-27423

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close