{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-02T16:23:01.098Z", "datePublished": "2025-12-02T21:49:24.672Z", "dateUpdated": "2025-12-05T04:56:29.527Z"}, "containers": {"cna": {"title": "Vim for Windows Uncontrolled Search Path Element Remote Code Execution Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "lang": "en", "description": "CWE-427: Uncontrolled Search Path Element", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834"}, {"name": "https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25"}, {"name": "https://github.com/vim/vim/releases/tag/v9.1.1947", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.1.1947"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.1.1947", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-02T21:49:24.672Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947."}], "source": {"advisory": "GHSA-g77q-xrww-p834", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-04T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-66476"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T04:56:29.527Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/12/02/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-12-03T00:12:51.024Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/12/02/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-12-03T00:12:51.024Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-03T00:34:33.249728Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T21:55:51.383Z"}}], "cna": {"title": "Vim for Windows Uncontrolled Search Path Element Remote Code Execution Vulnerability", "source": {"advisory": "GHSA-g77q-xrww-p834", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": "< 9.1.1947"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834", "name": "https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25", "name": "https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.1.1947", "name": "https://github.com/vim/vim/releases/tag/v9.1.1947", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-02T21:49:24.672Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66476", "state": "PUBLISHED", "dateUpdated": "2025-12-05T04:56:29.527Z", "dateReserved": "2025-12-02T16:23:01.098Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-02T21:49:24.672Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947."}], "id": "CVE-2025-66476", "lastModified": "2025-12-04T17:15:08.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-12-02T22:16:09.940", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25"}, {"source": "security-advisories@github.com", "url": "https://github.com/vim/vim/releases/tag/v9.1.1947"}, {"source": "security-advisories@github.com", "url": "https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/12/02/5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vim: Vim for Windows: Uncontrolled search path vulnerability allows arbitrary code execution", "id": "2418541", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418541"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "CWE-427", "details": ["An uncontrolled search-path vulnerability in Vim for Microsoft Windows allows an attacker who can place a trojanized executable in a directory opened by the user to cause Vim to run that executable when Vim invokes external commands (for example :grep, :!, filters !, :make, or system() in Vimscript). This can result in arbitrary code execution with the privileges of the user running Vim. The issue only affects Vim on Windows platforms (ms-win builds) and is not triggered on Unix-like systems."], "name": "CVE-2025-66476", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-12-02T21:49:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-66476\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-66476\nhttps://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25\nhttps://github.com/vim/vim/releases/tag/v9.1.1947\nhttps://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834"], "statement": "This flaw is specific to Vim on Microsoft Windows systems and arises from Windows-only search-path behavior when external commands are invoked. The vulnerable code path does not exist in Vim builds for Linux. As a result, Red Hat products are not affected by this vulnerability."}