CVE-2025-27423 — Command Injection in Azl3 VIM 9.1.1164-1 ON Azure Linux 3.0

CWE-77 — Command Injection5 documents5 sources

Severity

7.1HIGHNVD

EPSS

2.1%

top 15.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Debian VIM Msrc Azl3 VIM 9.1.0791-4 ON Azure Linux 3.0 +3 more

Timeline

PublishedMar 3

Latest updateMar 11

Description

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages8 packages

▶msrcmsrc/azl3_vim_9.1.1164-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_vim_9.1.1164-1_on_cbl_mariner_2.0

▶CVEListV5vim/vim< 9.1.1164

▶NVDvim/vim9.1.0858 — 9.1.1164

▶debiandebian/vim< vim 2:9.1.1230-1 (forky)

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-27423: Vim is an open source, command line text editor↗2025-03-03

▶

📋Vendor Advisories

Microsoft

Improper Input Validation in Vim↗2025-03-11

▶

Red Hat

vim: Improper Input Validation in Vim↗2025-03-03

▶

Debian

CVE-2025-27423: vim - Vim is an open source, command line text editor. Vim is distributed with the tar...↗2025

▶