CVE-2025-27423

CVE-2025-27423 is a command injection vulnerability in the tar.vim plugin distributed with Vim, an open source command-line text editor. Starting with Vim version 9.1.0858, the plugin uses the ":read" ex command to append tar archive content below the cursor, but fails to sanitize filenames extracted from the archive. This allows attackers to execute arbitrary shell commands by crafting malicious tar files, with execution depending on the configured shell option set via the $SHELL environment variable. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-77: Command Injection. It was fixed in Vim patch v9.1.1164.

An attacker with local access can exploit this vulnerability by providing a specially crafted tar archive (compressed or uncompressed) to a victim. Exploitation requires the user to open the malicious tar file in Vim while the tar.vim plugin is active, triggering the unsanitized ":read" command and potential shell command execution. Successful exploitation grants high-impact confidentiality and integrity violations, such as reading sensitive files or modifying system state, but no availability impact. No privileges are required beyond local access, though user interaction is necessary.

Vim developers addressed the issue in patch v9.1.1164, with fixes detailed in GitHub commits 129a8446d23cd9cb4445fcfea259cba5e0487d29 and 334a13bff78aa0ad206bc436885f63e3a0bab399, as documented in the GitHub security advisory GHSA-wfmf-8626-q3r3. Vendors like NetApp have also issued advisories, such as ntap-20250502-0002, recommending updates to patched Vim versions for affected products. Security practitioners should ensure Vim installations are updated to v9.1.1164 or later and advise users to avoid opening untrusted tar archives in Vim.