Vim Zip Plugin Path Traversal Vulnerability Allowing Arbitrary File Overwrite

A path traversal vulnerability has been identified in Vim's zip.vim plugin, affecting versions prior to 9.2.0280. This vulnerability allows overwriting of arbitrary files when opening specially crafted zip archives, bypassing a previous fix for CVE-2025-53906. The issue arises because the plugin's path normalization process can be manipulated to escape the intended directory restrictions.

Impact

Exploitation of this vulnerability can lead to overwriting of sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. However, successful exploitation requires direct user interaction.

Reproduction

To reproduce this vulnerability, open a specially crafted zip archive in Vim version prior to 9.2.0280. Select and edit a file within the archive that has been designed to exploit the path traversal issue by prefixing the traversal with a dummy directory component. When the file is saved, Vim will overwrite an existing file outside the intended working directory.

Remediation

Users can upgrade to Vim version 9.2.0280 or later to address this vulnerability.