CVE-2025-66476 Overview
CVE-2025-66476 is an uncontrolled search path vulnerability [CWE-427] affecting Vim for Windows prior to version 9.1.1947. When Vim runs on Windows using cmd.exe as the shell, it resolves external commands by searching the current working directory before system paths. An attacker can place a malicious executable in the same directory as a file opened by Vim. The attacker-controlled binary executes when the user invokes :grep, :!, :make, or compiler commands. Exploitation requires local access and user interaction, but yields code execution in the user's security context.
Critical Impact
A user opening a file from an untrusted directory in Vim on Windows can trigger execution of attacker-supplied binaries like findstr.exe placed alongside the file.
Affected Products
- Vim for Windows prior to version 9.1.1947
- Microsoft Windows installations using cmd.exe as the Vim shell
- Any Vim workflow invoking :grep, :!, :make, or compiler commands
Discovery Timeline
- 2025-12-02 - CVE CVE-2025-66476 published to NVD
- 2025-12-02 - Vim security advisory GHSA-g77q-xrww-p834 published
- 2026-01-30 - Last updated in NVD database
Technical Details for CVE-2025-66476
Vulnerability Analysis
The flaw stems from how Windows resolves executable names. When cmd.exe searches for a command, it checks the current working directory before traversing %PATH%. Vim inherits this behavior when spawning external processes. Commands such as :grep invoke findstr.exe, and :! runs arbitrary shell commands. If an attacker plants a file named findstr.exe in the directory of the file being edited, Vim executes that binary instead of the system utility in C:\Windows\System32. The attacker gains code execution with the privileges of the user running Vim.
Root Cause
The root cause is reliance on the default Windows command resolution order, which prioritizes the current working directory. Vim did not previously set the NoDefaultCurrentDirectoryInExePath environment variable when invoking external commands. This left the search path uncontrolled and trusted the file system layout of the edited document.
Attack Vector
An attacker delivers a directory containing a target file and a malicious binary, for example via a ZIP archive, network share, or USB drive. The victim opens the file in Vim and runs any feature that calls an external tool. Vim launches the planted executable, which inherits the user's permissions.
/* Restore a previous environment variable value, or unset it if NULL.
* 'must_free' indicates whether 'old_value' was allocated.
*/
static void
restore_env_var(char_u *name, char_u *old_value, int must_free)
{
if (old_value != NULL)
{
vim_setenv(name, old_value);
if (must_free)
vim_free(old_value);
return;
}
vim_unsetenv(name);
}
/*
* Either execute a command by calling the shell or start a new shell
*/
Source: Vim commit 083ec6d. The patch introduces helper logic to set NoDefaultCurrentDirectoryInExePath before invoking shell commands and restore the prior value afterward.
Detection Methods for CVE-2025-66476
Indicators of Compromise
- Presence of executables such as findstr.exe, cmd.exe, or compiler binaries in non-system directories that also contain document or source files.
- Process creation events where vim.exe or gvim.exe spawns a child binary located outside C:\Windows\System32 or other trusted directories.
- Archives extracted to user-writable paths that contain both editable files and .exe payloads with system utility names.
Detection Strategies
- Hunt for child processes of vim.exe whose image path resolves to a user directory rather than a system path.
- Monitor Sysmon Event ID 1 for process creations where the parent is Vim and the command line references findstr, make, or compiler executables resolved from non-standard locations.
- Correlate file write events that create executables with system utility names in document directories.
Monitoring Recommendations
- Enable command-line logging and Sysmon across Windows workstations used for development or text editing.
- Forward process telemetry to a centralized analytics platform to baseline expected Vim child processes.
- Alert on any executable named after a Windows built-in utility that lives outside its canonical system path.
How to Mitigate CVE-2025-66476
Immediate Actions Required
- Upgrade Vim for Windows to version 9.1.1947 or later on all affected endpoints.
- Set the NoDefaultCurrentDirectoryInExePath environment variable system-wide to remove the current directory from command resolution.
- Avoid opening untrusted archives or repositories directly in Vim until patching is complete.
Patch Information
The fix is delivered in Vim patch 9.1.1947. The change always sets NoDefaultCurrentDirectoryInExePath when Vim invokes :! commands, regardless of user environment configuration. See the Vim Security Advisory GHSA-g77q-xrww-p834 and the GitHub Release v9.1.1947 for release notes.
Workarounds
- Define NoDefaultCurrentDirectoryInExePath=1 as a user or system environment variable before launching Vim.
- Switch Vim's shell from cmd.exe to PowerShell, which does not search the current directory by default.
- Open untrusted files only from directories that contain no executable payloads, such as a dedicated quarantine folder.
# Configuration example: set the protective environment variable on Windows
setx NoDefaultCurrentDirectoryInExePath 1
# Or inside Vim's vimrc, switch shell to PowerShell
# set shell=powershell
# set shellcmdflag=-NoLogo\ -NoProfile\ -NonInteractive\ -Command
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
