A critical security vulnerability has been discovered in Vim for Windows that could allow attackers to execute malicious code on users’ computers.
The vulnerability, identified as CVE-2025-66476, affects Vim versions before 9.1.1947 and has been rated high severity, with a CVSS score of 7.8.
The flaw lies in how Vim searches for external programs on Windows systems. When users run commands in Vim, like: grep or: make.
Overview of the Windows-Specific Vim Vulnerability
The text editor searches for required executables in the current working directory before checking system directories. This order of operations creates a dangerous opportunity for attackers to inject malicious files.
An attacker can put a fake malicious file with a common name, like findstr.exe, inside the project folder.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-66476 |
| Package | Vim for Windows |
| Vulnerability Type | Uncontrolled Search Path Element (CWE-427) |
| Severity | High |
| CVSS Score | 7.8 |
| CVSS Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
When a user opens a file from that folder and executes a grep command, Vim runs the attacker’s malicious version instead of the legitimate Windows system file.
This allows the attacker to execute arbitrary code with the same privileges as the user running Vim. The vulnerability becomes particularly dangerous in common development scenarios.
For example, when a developer clones a malicious repository and opens files using Vim, they could unknowingly trigger the attack.
Simply performing routine tasks like searching through code with: grep, filtering text with! Running build tools, such as make, could activate the malicious payload.
Users don’t need elevated permissions for this attack to succeed, and the vulnerability can be triggered whenever Vim uses external commands. The attacker needs only user-level privileges to plant malicious files in a directory.
According to an advisory published on GitHub, all Windows users running Vim version 9.1.1946 or earlier are vulnerable. This includes users of both Vim and gVim.
Vim released patch version 9.1.1947 to fix this vulnerability. Users should immediately update to this version or later.
The patch changes how Vim searches for external executables, preventing it from prioritizing files in the current working directory.
Users should immediately update Vim for Windows to version 9.1.1947 or later to protect themselves against potential code-execution attacks.
This vulnerability highlights the importance of keeping development tools up to date and being cautious when opening files from untrusted sources.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
