Home > Vulnerability Database > CVE-2025-27423

Mend.io Vulnerability Database

CVE-2025-27423

Date: March 3, 2025

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164

Severity Score

7.1

Related Resources (8)

Url: https://github.com/vim/vim/commit/129a8446d23cd9cb4445fcfea259cba5e0487d29

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-27423

Url: https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3

Url: https://security.alpinelinux.org/vuln/CVE-2025-27423

Url: https://github.com/vim/vim/commit/334a13bff78aa0ad206bc436885f63e3a0bab399

Url: https://security.netapp.com/advisory/ntap-20250502-0002/

Url: https://security-tracker.debian.org/tracker/CVE-2025-27423

Url: https://www.mend.io/vulnerability-database/CVE-2025-27423

Severity Score

7.1

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-27423

Date: March 3, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?