CVE-2025-27423

EPSS 0.46%
Veröffentlicht 03.03.2025 17:15:15
Zuletzt bearbeitet 18.08.2025 18:20:37
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vim ≫ Vim Version >= 9.1.0858 < 9.1.1164

Netapp ≫ Hci Compute Node Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.631

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/vim/vim/commit/129a8446d23cd9cb4445fcfea259cba5e0487d29

Patch

https://github.com/vim/vim/commit/334a13bff78aa0ad206bc436885f63e3a0bab399

Patch

https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250502-0002/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-27423

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-27423

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27423

EUVD