Arbitrary command execution on Windows in vim/vim


Reported on

Jul 10th 2023


Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems, this is possible by having a malicious file with the same name as a trusted executable, Windows gives priority to the current directory when searching for executables.

Several built-in plugins execute commands when opening files, for example, the Perl plugin (runtime/ftplugin/perl.vim) executes the perl command when opening a Perl file.

Proof of Concept

  • Create a perl.bat file (perl or perl.exe works too) with the command you want to execute, for example:
@echo off
echo hacked! > pwned.txt
  • Enable filetype detection, you can add this in your .vimrc:
filetype plugin on
  • Open any Perl file from the same directory as the perl.bat file.
  • The command from the perl.bat file will be executed, creating a pwned.txt file in the current directory.

Additional information

This vulnerability can be exploited by other plugins, like zip.vim (runtime/ftplugin/zip.vim) which executes the unzip command when opening a zip file.

This vulnerability is similar to CVE-2021-3013 and CVE-2022-41953. Note that this affects all plugins that execute commands (make calls to system()) on Windows systems.

I was able to reproduce this on Windows 10 with GVim, Vim on Powershell and Vim on the normal CMD.

Possible fixes

  • Use absolute paths when executing commands.
  • Set the NeedCurrentDirectoryForExePath environment variable when executing commands on Windows systems (maybe make it an opt-in option?).
  • Maybe there is an option to avoid this behavior in CreateProcessW?
  • Prevent plugins from executing commands from untrusted directories by default (similar to VSCode).
  • Others?


An attacker can trick a user into downloading the malicious files, and by opening or creating some files in this directory can lead to the attacker to execute arbitrary commands.


  • Create a perl.bat file
  • Open any perl file with vim
We are processing your report and will contact the vim team within 24 hours. 5 months ago
We have contacted a member of the vim team and are waiting to hear back 5 months ago
Santos Gallegos modified the report
4 months ago
3 months ago


sorry, I did not get a notification for this issue here. I have pushed the patch which should fix the issue.

Christian Brabandt validated this vulnerability 3 months ago
Santos Gallegos has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Santos Gallegos
3 months ago


@chrisbra thanks for the quick fix! Any chances this could be fixed from the root?

Otherwise, lots of other plugins that execute commands will need to implement a similar check. Maybe document this problem on Windows, so plugin authors are aware of it.

Santos Gallegos
3 months ago


Maybe document this problem on Windows, so plugin authors are aware of it.

Edit: Maybe document that this problem happens on Windows, so plugin authors are aware of it.

Christian Brabandt marked this as fixed in 9.0.1833 with commit 816fbc 3 months ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has been assigned a CVE
Christian Brabandt published this vulnerability 3 months ago
perl.vim#L57-L62 has been validated
to join this conversation