Vim OS Command Injection Vulnerability in 'path' Option Completion

A command injection vulnerability has been identified in Vim's file completion system. This issue affects versions of Vim prior to 9.2.0435. The vulnerability arises because the 'path' option can be set from a modeline, allowing an attacker to execute arbitrary shell commands. When the 'path' option includes backtick-enclosed commands, those commands are executed during the completion process of the ':find' command. The lack of a security flag for the 'path' option enables this exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary command execution in the context of the Vim process. This occurs when the ':find', ':sfind', ':tabfind' commands are used, and the 'path' option includes backtick-enclosed commands. The vulnerability requires the 'modeline' feature to be enabled, which is the default in older Vim versions.

Reproduction

To reproduce this vulnerability, create a file that includes a modeline setting the 'path' option with a backtick-enclosed command. Open this file in Vim with a version prior to 9.2.0435, and trigger the ':find' command completion. The backtick command will be executed, demonstrating the command injection vulnerability.

Remediation

Users can update to Vim version 9.2.0435 or later, where this vulnerability has been patched.