CVE-2025-66476

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25	Patch
https://github.com/vim/vim/releases/tag/v9.1.1947	Release Notes
https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834	Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/02/5	Mailing List Patch Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-02 22:16

Updated : 2026-01-30 18:50

NVD link : CVE-2025-66476

Mitre link : CVE-2025-66476

CVE.ORG link : CVE-2025-66476

JSON object : View

Products Affected

microsoft

windows

vim

vim

CWE

CWE-427

Uncontrolled Search Path Element

{"id": "CVE-2025-66476", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-12-02T22:16:09.940", "references": [{"url": "https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/releases/tag/v9.1.1947", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/02/5", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-427"}]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947."}], "lastModified": "2026-01-30T18:50:29.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F415DD0-063B-4239-B760-A7327109D919", "versionEndExcluding": "9.1.1947"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security-advisories@github.com"}