Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-53906
Summary
Vim is an open source, command line text editor. Prior to version 9.1.1551, a Path Traversal issue in Vims "zip.vim" plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system.
- HIGH
- LOCAL
- LOW
- CHANGED
- REQUIRED
- NONE
- NONE
- LOW
CWE-22 - Path Traversal
Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.
References
Advisory Timeline
- Published
