Vim vulnerable to potential data loss with zip.vim and special crafted zip files
Description
Vim's zip.vim plugin before v9.1.1198 allows argument injection via crafted zip member filenames like '-d/tmp', leading to unintended extraction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim's zip.vim plugin before v9.1.1198 allows argument injection via crafted zip member filenames like '-d/tmp', leading to unintended extraction.
Vulnerability
Vim versions prior to 9.1.1198 are vulnerable to an argument injection flaw in the zip.vim plugin (CVE-2025-29768). The plugin passes user-controlled member-filenames directly to the unzip command without proper sanitization. An attacker can craft a zip archive containing a file with a name starting with -, such as -d/tmp, which is interpreted by unzip as an option argument rather than a filename. This causes unzip to extract the entire archive into a directory chosen by the attacker, potentially overwriting files. The issue arises because unzip version 6.0 (common on many systems) does not support a -- end-of-arguments marker, preventing easy mitigation at the command line. The fix was included in Vim patch v9.1.1198 [1][2].
Exploitation
An attacker must convince a user to open a specially crafted zip archive in Vim using the zip.vim plugin (e.g., by opening the archive file with Vim or using :e on the zip). Once the archive is loaded, the user must press x on the listed member file that has a name like -d/tmp (or similar). The plugin then constructs a command such as unzip -o <archive.zip> -d/tmp, which unzip interprets as a request to extract all files into /tmp. No additional authentication or special network position is required beyond social engineering the user into performing these actions [1].
Impact
Successful exploitation allows an attacker to cause extraction of the entire zip archive into an arbitrary directory on the victim's filesystem, potentially overwriting existing files. This can lead to data loss or unintended file replacement, depending on the extracted content and the destination directory. The vulnerability affects the confidentiality and integrity of user data, though the attacker does not gain code execution or elevated privileges directly [1].
Mitigation
The vulnerability is fixed in Vim version 9.1.1198, released March 11, 2025. Users should update Vim to this version or later. The fix adds a substitution in zip.vim that prepends [-] to filenames starting with a -, preventing them from being interpreted as arguments by unzip [2]. There is no practical workaround for users of unzip 6.0, as the -- option is not supported; upgrading Vim is the recommended action. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
35- osv-coords33 versionspkg:deb/ubuntu/vim@2:7.4.052-1ubuntu3.1+esm20?arch=source&distro=esm-infra-legacy/trustypkg:deb/ubuntu/vim@2:7.4.1689-3ubuntu1.5+esm26?arch=source&distro=esm-infra/xenialpkg:deb/ubuntu/vim@2:8.0.1453-1ubuntu1.13+esm11?arch=source&distro=esm-infra/bionicpkg:deb/ubuntu/vim@2:8.1.2269-1ubuntu5.31?arch=source&distro=focalpkg:deb/ubuntu/vim@2:8.2.3995-1ubuntu2.23?arch=source&distro=jammypkg:deb/ubuntu/vim@2:9.1.0016-1ubuntu7.6?arch=source&distro=noblepkg:deb/ubuntu/vim@2:9.1.0496-1ubuntu6.4?arch=source&distro=oracularpkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP7pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.3
>= 0+ 32 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-17.48.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150500.20.27.1
- (no CPE)range: < 9.1.1406-17.48.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
- (no CPE)range: < 9.1.1406-150000.5.75.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/vim/vim/commit/f209dcd3defb95bae21b2740910e6aa7bb940531mitrex_refsource_MISC
- github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.