CVE-2025-53906

low-risk

Published 2025-07-15

Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.1/10 Medium

LOCAL / HIGH complexity

Affected Products (1)

Vim

Affected Vendors

Vim

References (5)

Patch https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8

Exploit https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86

http://www.openwall.com/lists/oss-security/2025/07/15/2

http://www.openwall.com/lists/oss-security/2026/04/01/4

Exploit https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86

/ 100

low-risk

Severity 11/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal