CVE-2019-12735
Description
Vim before 8.1.1365 and Neovim before 0.3.6 allow arbitrary OS command execution via a crafted modeline using the :source! command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim before 8.1.1365 and Neovim before 0.3.6 allow arbitrary OS command execution via a crafted modeline using the :source! command.
Vulnerability
The vulnerability resides in the modeline feature of Vim and Neovim, which allows editor options to be specified within a file. In affected versions (Vim before 8.1.1365, Neovim before 0.3.6), the :source! command can be executed through a modeline via expression options like assert_fails or nvim_input. This allows arbitrary OS commands to be run when the file is opened if the modeline option is enabled (default) [1][4].
Exploitation
An attacker crafts a text file containing a malicious modeline, such as :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt=". When the victim opens the file with Vim or Neovim, the modeline is processed and the injected command executes. No authentication or special position is required; only user interaction (opening the file) is needed. The attack can be extended to execute arbitrary commands, including reverse shells, with additional obfuscation using terminal escape sequences to hide the modeline when viewed with cat [4].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the user who opened the file. This can lead to complete compromise of the affected system, including data theft, malware installation, or further network propagation.
Mitigation
Vim patched the issue in version 8.1.1365 (released June 4, 2019) and Neovim in version 0.3.6. Red Hat released updates for various versions via RHSA-2019:1619 and later advisories [1]. Users should update to the latest versions or disable modelines by setting :set nomodeline in their configuration. There are no known workarounds if the software cannot be updated.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
31- Vim/Vimdescription
- osv-coords28 versionspkg:rpm/opensuse/neovim&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/neovim&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/neovim&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/neovim&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/neovim&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%207
< 0.3.1-bp150.2.6.1+ 27 more
- (no CPE)range: < 0.3.1-bp150.2.6.1
- (no CPE)range: < 0.3.1-bp150.2.6.1
- (no CPE)range: < 0.5.1-1.1
- (no CPE)range: < 8.0.1568-lp151.5.3.1
- (no CPE)range: < 8.0.1568-lp151.5.3.1
- (no CPE)range: < 8.2.3408-1.2
- (no CPE)range: < 0.3.1-bp150.2.6.1
- (no CPE)range: < 0.3.7-bp151.3.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 8.0.1568-5.3.1
- (no CPE)range: < 8.0.1568-5.3.1
- (no CPE)range: < 8.0.1568-5.3.1
- (no CPE)range: < 8.0.1568-5.3.1
- (no CPE)range: < 7.2-8.21.3.1
- (no CPE)range: < 7.2-8.21.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
- (no CPE)range: < 7.4.326-17.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
29- lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.htmlmitrevendor-advisory
- access.redhat.com/errata/RHSA-2019:1619mitrevendor-advisory
- access.redhat.com/errata/RHSA-2019:1774mitrevendor-advisory
- access.redhat.com/errata/RHSA-2019:1793mitrevendor-advisory
- access.redhat.com/errata/RHSA-2019:1947mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/mitrevendor-advisory
- security.gentoo.org/glsa/202003-04mitrevendor-advisory
- usn.ubuntu.com/4016-1/mitrevendor-advisory
- usn.ubuntu.com/4016-2/mitrevendor-advisory
- www.debian.org/security/2019/dsa-4467mitrevendor-advisory
- www.debian.org/security/2019/dsa-4487mitrevendor-advisory
- www.securityfocus.com/bid/108724mitrevdb-entry
- lists.debian.org/debian-lts-announce/2019/08/msg00003.htmlmitremailing-list
- seclists.org/bugtraq/2019/Jul/39mitremailing-list
- seclists.org/bugtraq/2019/Jun/33mitremailing-list
- bugs.debian.org/930020mitre
- bugs.debian.org/930024mitre
- github.com/neovim/neovim/pull/10082mitre
- github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.mdmitre
- github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040mitre
- support.f5.com/csp/article/K93144355mitre
- support.f5.com/csp/article/K93144355mitre
- www.exploit-db.com/exploits/46973mitre
News mentions
0No linked articles in our index yet.