CVE-2025-53906
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-15

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-15
Last Modified
2026-04-01
Generated
2026-05-07
AI Q&A
2025-07-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53906
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.1.1551 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a path traversal issue in Vim's zip.vim plugin prior to version 9.1.1551. It allows an attacker to overwrite arbitrary files by opening specially crafted zip archives in Vim. Exploitation requires the user to directly interact by editing such a file, which may reveal suspicious filenames and content. The vulnerability can lead to overwriting sensitive files or placing executable code in privileged locations depending on the permissions of the Vim process. It can potentially allow execution of arbitrary commands on the operating system.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to overwrite sensitive files or place executable code in privileged locations on your system, potentially leading to arbitrary command execution. However, the impact is considered low because exploitation requires direct user interaction and the victim must open and edit a specially crafted zip archive using Vim. The risk depends on the permissions of the process running Vim.


What immediate steps should I take to mitigate this vulnerability?

Update Vim to version 9.1.1551 or later, which contains the patch for this vulnerability. Additionally, avoid opening zip archives with Vim's zip.vim plugin unless you trust the source, as exploitation requires direct user interaction.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart