Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aej+xp8kzTsXycYF@256bit.org>
Date: Wed, 22 Apr 2026 19:00:54 +0200
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] OS Command Injection in netrw affects Vim < 9.2.0383

OS Command Injection in netrw affects Vim < 9.2.0383
=====================================================
Date: 21.04.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

## Summary
An OS command injection vulnerability exists in the `netrw` standard
plugin bundled with Vim. By inducing a user to open a crafted URL (e.g.,
using the `sftp://` or `file://` protocol handlers), an attacker can
execute arbitrary shell commands with the privileges of the Vim process.

## Description
When Netrw processes remote or local URLs such as `sftp://host/path` or
`file://host/path`, it may create temporary files to store transferred
content. The temporary file name is derived in part from the original
file name, including its suffix.

The vulnerability exists because the suffix extraction logic in
`s:GetTempfile()` previously allowed arbitrary characters after the `.` 
in a filename. This permitted shell metacharacters (e.g., `;`, `|`, `&`) 
to be embedded in the suffix and propagated into the generated temporary 
file name.

Since this temporary file name was passed to external commands (such as
`sftp` or configured file handlers) without proper escaping, attackers 
could inject arbitrary shell commands. 

## Impact
The vulnerability allows for arbitrary shell command execution in the 
context of the Vim process. Exploitation requires the user to open a 
specially crafted URL, and the injected payload is typically visible in 
the filename, making stealthy exploitation less likely. Therefore, the 
severity is rated medium.

## Acknowledgements
The Vim project would like to thank Joshua Rogers of [AISLE Research 
Team](https://aisle.com/) for reporting the issue.

## References
The issue has been fixed as of Vim patch [v9.2.0383](https://github.com/vim/vim/releases/tag/v9.2.0383).
- [Commit](https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc)
- [Github Security Advisory](https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx)


Best,
Christian
-- 
Majestät ist das Vermögen, ohne Rücksicht auf Belohnung oder
Bestrafung recht oder unrecht zu handeln.
		-- Goethe, Maximen und Reflektionen, Nr. 730

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.