cbcvebase.
CVE-2019-12735
published 2019-06-05

CVE-2019-12735: getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as…

PriorityP267high8.6CVSS 3.0
AVLACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
19.11%
97.0th percentile
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianneovim< neovim 0.3.4-3 (bookworm)neovim 0.3.4-3 (bookworm)
debianvim< neovim 0.3.4-3 (bookworm)neovim 0.3.4-3 (bookworm)
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_vim_8.1.0388-7_on_cbl_mariner_1.0
neovimneovim< 0.3.60.3.6
neovimneovim>= 0 < 0.3.4-30.3.4-3
neovimneovim>= 0 < 0.3.4-30.3.4-3
neovimneovim>= 0 < 0.3.4-30.3.4-3
neovimneovim>= 0 < 0.3.4-30.3.4-3
paloaltopan-os
vimvim< 8.1.13658.1.1365
vimvim>= 0 < 2:8.1.0875-42:8.1.0875-4
vimvim>= 0 < 2:8.1.0875-42:8.1.0875-4
vimvim>= 0 < 2:8.1.0875-42:8.1.0875-4
vimvim>= 0 < 2:8.1.0875-42:8.1.0875-4
vimvim>= 0 < 2:7.4.1689-3ubuntu1.32:7.4.1689-3ubuntu1.3
vimvim>= 0 < 2:8.0.1453-1ubuntu1.12:8.0.1453-1ubuntu1.1

Detection & IOCsextracted from sources · hover to see the quote

command:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
commandvi:fen:fdm=expr:fde=nvim_input("\:terminal\ uname\ -a"):fdl=0
command# vim: set foldexpr=execute('\:source! some_file'):
  • Detect modeline strings containing 'source!' (with bang) combined with fold expression options (fdm=expr, fde=) — this is the core exploit pattern bypassing the Vim sandbox.
  • Flag files containing modelines with 'fdm=expr' and 'fde=' set to functions like assert_fails(), execute(), or nvim_input() — these are the known sandbox-escape vectors.
  • Detect terminal escape sequences (\x1b[?7l, \x1bS) at the start of files used to hide malicious modelines from 'cat' output — a concealment technique used in the reverse shell PoC.
  • Monitor for 'nohup nc ... -e /bin/sh' process spawned as a child of vim or nvim processes, indicating successful reverse shell execution via this CVE.
  • The vulnerability requires modeline to be enabled; check for absence of 'set nomodeline' in vimrc. Modeline is enabled by default for non-root users.
  • For Neovim specifically, also look for nvim_input() in modelines as an alternative sandbox-escape function (execute() is blacklisted in Neovim sandbox but nvim_input() is not).
  • ·Exploit only triggers if the 'modeline' option is enabled in Vim/Neovim. By default, modeline is DISABLED when running as root, reducing risk for privileged sessions.
  • ·RHEL 5, 6, and 7 default installations did not include assert_fails() at time of disclosure, making part 3 of the exploit chain absent; RHEL 8 does contain assert_fails().
  • ·Disabling modelineexpr (Vim-only, since patch 8.1.1366) prevents expressions in modelines as an additional mitigation beyond patching.

CVSS provenance

nvdv3.08.6HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.6HIGH
vendor_msrc8.6HIGH
vendor_redhat8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.