CVE-2025-27423 – This vulnerability in Vim's tar.vim plugin allo... (How to Fix)

Q: What is the severity of CVE-2025-27423?

CVE-2025-27423 has a CVSS score of 7.1 (HIGH). This vulnerability in Vim's tar.vim plugin allows arbitrary shell command execution when opening specially crafted tar archives. Attackers can exploit this by tricking users into opening malicious tar files, potentially leading to remote code execution. Users running Vim versions 9.1.0858 through 9.1.1163 with the tar.vim plugin enabled are affected.

📋 TL;DR

This vulnerability in Vim's tar.vim plugin allows arbitrary shell command execution when opening specially crafted tar archives. Attackers can exploit this by tricking users into opening malicious tar files, potentially leading to remote code execution. Users running Vim versions 9.1.0858 through 9.1.1163 with the tar.vim plugin enabled are affected.

💻 Affected Systems

Products:

Vim with tar.vim plugin

Versions: Vim 9.1.0858 through 9.1.1163

Operating Systems: Linux, Unix-like systems, macOS, Windows (with compatible shell)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires tar.vim plugin (enabled by default) and depends on shell configuration via $SHELL or 'shell' option.

📦 What is this software?

Hci Compute Node by Netapp

View all CVEs affecting Hci Compute Node →

Vim by Vim

View all CVEs affecting Vim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation or arbitrary file read/write when users open malicious tar files, potentially leading to credential theft or lateral movement.

🟢

If Mitigated

Limited impact if users only open trusted tar files and have restricted shell permissions, though risk remains for privilege escalation.

🌐 Internet-Facing: LOW - Vim is typically not directly internet-facing, though web interfaces or remote editing tools could increase exposure.

🏢 Internal Only: MEDIUM - Internal users opening tar files from untrusted sources could lead to lateral movement within networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to open malicious tar file. Proof-of-concept exists in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vim 9.1.1164 or later

Vendor Advisory: https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3

Restart Required: No

Instructions:

1. Update Vim to version 9.1.1164 or later using your package manager. 2. For source installations: git pull from official repository and rebuild. 3. Verify patch application with version check.

🔧 Temporary Workarounds

Disable tar.vim plugin

all

Prevents tar file handling through vulnerable plugin

echo 'let g:loaded_tarPlugin = 1' >> ~/.vimrc

Restrict shell permissions

linux

Limit shell capabilities to reduce impact

chmod 700 /bin/bash
set shell=/bin/false in .vimrc

🧯 If You Can't Patch

Avoid opening tar files from untrusted sources in Vim
Use alternative tar utilities (tar command line) instead of tar.vim plugin

🔍 How to Verify

Check if Vulnerable:

Check Vim version with 'vim --version' and verify if between 9.1.0858 and 9.1.1163

Check Version:

vim --version | grep 'Included patches'

Verify Fix Applied:

Confirm version is 9.1.1164 or later with 'vim --version | head -1'

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands executed from Vim process
Tar file openings followed by unexpected process spawns

Network Indicators:

Outbound connections from Vim process to unexpected destinations

SIEM Query:

process_name:vim AND (process_cmdline:*tar* OR parent_process:tar)

📊 Metadata

CVE ID: CVE-2025-27423

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-77

EPSS Score: 0.95% exploit probability (76th percentile)

Published: March 3, 2025

Last Updated: August 18, 2025

🔗 References

https://github.com/vim/vim/commit/129a8446d23cd9cb4445fcfea259cba5e0487d29 Patch
https://github.com/vim/vim/commit/334a13bff78aa0ad206bc436885f63e3a0bab399 Patch
https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3 Vendor Advisory
https://security.netapp.com/advisory/ntap-20250502-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27423, you might also want to check these: