Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aS9grXZWbWRuAoBk@256bit.org>
Date: Tue, 2 Dec 2025 22:57:01 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] A Windows uncontrolled search path vulnerability
 affects Vim < 9.1.1947

A Windows uncontrolled search path vulnerability affects Vim < 9.1.1947
======================================================================
Date: 02.12.2025
Severity: High
CVE: CVE-2025-66476
CWE: Uncontrolled Search Path Element (CWE-427)

## Summary
An uncontrolled search path vulnerability on Windows allows Vim to 
execute malicious executables placed in the current working directory 
for the current edited file. The issue affects Vim for Windows **prior 
to version 9.1.1947**.

## Description
On Windows, when using `cmd.exe` as a shell, Vim resolves external 
commands by searching the current working directory before system paths. 
When Vim invokes tools such as `findstr` for `:grep`, external commands 
or filters via `:!`, or compiler/`:make` commands, it may inadvertently 
run a malicious executable present in the same directory as the file 
being edited.

This enables an attacker to plant a trojanized executable with a 
commonly used name (e.g. `findstr.exe`) inside a project folder and have 
Vim execute it instead of the intended system binary, if the user 
changes into that directory using any of `:cd`, `:lcd` or `:tcd` command 
or when Vim changes the directory to the directory of the file being 
edited (e.g. when opening a file via Windows Explorer).

## Impact
Executing a malicious binary in this way allows arbitrary code execution 
with the privileges of the user running Vim, without requiring elevated 
permissions.

The vulnerability can be triggered as soon as the user performs an 
action that triggers execution of an external command, including:

- `:grep` using Windows `findstr.exe`
- executing external commands using `:!`
- filter commands using `!`
- `:make` and related build-tool integrations
- other features invoking external utilities like `system()` Vim script
  function

Because arbitrary code execution is possible without requiring elevated
privileges and may occur simply by opening a file in a malicious
directory the severity is rated **high**.

This issue affects Vim for Windows version 9.1.1946 and earlier and
is fixed in Vim **v9.1.1947**.

## Acknowledgements
The Vim project would like to thank Simon Zuckerbraun of Trend Micro’s
Zero Day Initiative (ZDI) (ZDI-CAN-28569) for reporting this 
vulnerability.

References:
https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25
https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834

Thanks,
Chris
-- 
Hallo Wäsche-Vorwärmer!

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.