Path Traversal Vulnerability in Vim's Tar Plugin Affects Open Source Text Editor
CVE-2025-53905

4.1MEDIUM

Key Information:

Vendor: Vim
Status: Vim
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-53905?

Vim, the popular open-source command line text editor, is affected by a path traversal vulnerability in its tar.vim plugin. Prior to version 9.1.1552, this vulnerability allows users to overwrite arbitrary files when opening malformed tar archives. While the impact is considered low since it requires user interaction, successful exploitation can lead to serious consequences, such as overwriting sensitive files or executing arbitrary code depending on the permissions granted to the process. Users need to be cautious when editing files using Vim, as unique file names and content may indicate malicious activity. Version 9.1.1552 includes important patches to mitigate this risk.

Affected Version(s)

vim < 9.1.1552

References

https://github.com/vim/vim/security/advisories/GHSA-74v4-...

x_refsource_CONFIRM

https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea...

x_refsource_MISC

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025
Vulnerability Reserved
Jul 11, 2025