Uncontrolled Search Path Element Affecting vim/vim package, versions [,9.1.1947)
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-VIMVIM-14171958
- published3 Dec 2025
- disclosed2 Dec 2025
- creditSimon Zuckerbraun
Introduced: 2 Dec 2025
NewCVE-2025-66476 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade vim/vim to version 9.1.1947 or higher.
Overview
Affected versions of this package are vulnerable to Uncontrolled Search Path Element when using cmd.exe as a shell for resolving external commands while using tools like grep with :! or
compiler :make commands. An attacker can execute arbitrary code by placing a malicious executable in the same directory as the file being edited, which is then inadvertently run when certain commands or tools are invoked.
Note:
This issue affects only Windows OS.
PoC
- Create a folder,
folder1. Put some text files in this folder. - Copy
C:\Windows\System32\calc.exeand place it infolder1, changing its name tofindstr.exe. (Instead ofcalc.exeyou could use any other executable that produces a noticable effect. In a real-world attack, the attacker would plant an executable that seems outwardly to behave likefindstrbut surreptitiously performs malicious actions.) - Open a text file in
folder1using eitherVimorgVim. - Execute an (external)
grepcommand in Vim, for example::grep "a" *.txt - After a few moments you will see the Windows calculator pop up, demonstrating that the attacker has gotten the ability to run an arbitrary executable that they planted in the folder.