CVE-2025-53906: Vim has path traversal issue with zip.vim and special crafted zip archives
Published Jul 15, 2025
·Updated
Admin Framework. A logic issue was addressed with improved checks.
Other sources
Admin Framework. The issue was addressed with improved checks.
— Apple
App Store. A logging issue was addressed with improved data redaction.
— Apple
Apple Account. A privacy issue was addressed with improved checks.
— Apple
Apple Neural Engine. The issue was addressed with improved memory handling.
— Apple
AppleMobileFileIntegrity. A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
— Apple
Credit
Asaf Cohen, Ron Masas(BreakPoint), Pinak Oza, an anonymous researcher, Mickey Jin@@patch1t, Gergely Kalman@@gergely_kalman, Joseph Ravichandran@@0xjprx(MIT CSAIL), Dave G. (supernetworks.org), JZ, Zhongcheng Li(IES Red Team of ByteDance), Duy Trần@@khanhduytran0, Csaba Fitzl@@theevilbit(Kandji), Hikerell (Loadshine Lab), Wojciech Regula(SecuRing), Kirin@@Pwnrin(Fudan University), LFY@@secsys(Fudan University), 이동하 (Lee Dong Ha(BoB 14th), wac(Trend Micro Zero Day Initiative), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Adwiteeya Agrawal, Kenneth Chew, Rodolphe Brunetti@@eisw0lf(Lupus Nova), Rodolphe BRUNETTI@@eisw0lf(Lupus Nova), @@EthanArbuckle, pattern-f@@pattern_F_, iisBuri, Ferdous Saljooki@@malwarezoo(Jamf), Murray Mike, Cristian Dinca (icmd.tech), Apple, Dave G.(supernetworks), Alex Radocea(supernetworks), Taavi Eomäe(Zone Media), Romain Lebesle(Khatima), Himanshu Bharti@@Xpl0itme(Khatima), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), BynarIO AI (bynar.io), Google Threat Analysis Group, Doug Hogan, Kirin@@Pwnrin, KPC(Cisco Talos), CVE-2024-43398, CVE-2024-49761, CVE-2025-6442, @@RenwaX23, Zhongquan Li@@Guluisacat, Ryan Dowd@@_rdowd, Stanislav Jelezoglo, Vivek Dhar, ASI (RM) in Border Security Force, FTR HQ BSF Kashmir, Nikolai Skliarenko(Trend Micro Zero Day Initiative), an anonymous researcher(Microsoft), Kirin@@Pwnrin(Microsoft), Jonathan Bar Or@@yo_yo_yo_jbo(Microsoft), Amy@@asentientbot, CVE-2025-32462, CVE-2025-53906, Aleksejs Popovs, Phil Beauvoir, Google Big Sleep, Gary Kwong, rheza@@ginggilBesel, Justin Cohen(Google), Nan Wang@@eternalsakura13, rheza@@ginggilBesel(Trend Micro Zero Day Initiative), shandikri(Trend Micro Zero Day Initiative), Gary Kwong(Trend Micro Zero Day Initiative), Tom Van Goethem, Wang Yu(Cyberserval), @@cloudlldb, Morris Richman@@morrisinlife
Affected Software
3 affected componentsFixes available
vim Vim<9.1.1551
vim Vim<9.1.1551
Apple macOS Tahoe<26.1
26.1
Remediation
Event History
Jul 15, 2025
CVE Published
via MITRE·08:52 PM
Data Sourced
via MITRE·08:52 PM
DescriptionSeverityWeakness
Data Sourced
via Red Hat·09:01 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·09:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Nov 3, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2025-43471
- CVE-2025-43322
- CVE-2025-46313
- CVE-2025-43455
- CVE-2025-43447
- CVE-2025-43462
- CVE-2025-43390
- CVE-2025-43388
- CVE-2025-43466
- CVE-2025-43382
- CVE-2025-43468
- CVE-2025-43379
- CVE-2025-43378
- CVE-2025-43478
- CVE-2025-43407
- CVE-2025-43446
- CVE-2025-43465
- CVE-2025-43423
- CVE-2025-43497
- CVE-2025-43394
- CVE-2025-43448
- CVE-2025-43395
- CVE-2025-43461
- CVE-2025-43426
- CVE-2025-43401
- CVE-2025-43479
- CVE-2025-43436
- CVE-2025-43381
- CVE-2025-43445
- CVE-2025-43481
- CVE-2025-43470
- CVE-2025-46315
- CVE-2025-43387
- CVE-2025-43420
- CVE-2025-43464
- CVE-2025-43498
- CVE-2025-43507
- CVE-2025-43348
- CVE-2025-43474
- CVE-2025-43396
- CVE-2025-43444
- CVE-2025-43467
- CVE-2025-43398
- CVE-2025-43510
- CVE-2025-43520
- CVE-2025-43413
- CVE-2025-43494
- CVE-2025-43496
- CVE-2025-43386
- CVE-2025-43385
- CVE-2025-43384
- CVE-2025-43383
- CVE-2025-43377
- CVE-2025-43424
- CVE-2025-43364
- CVE-2025-43506
- CVE-2025-43389
- CVE-2025-43469
- CVE-2025-43411
- CVE-2025-43508
- CVE-2025-43405
- CVE-2025-43391
- CVE-2025-43393
- CVE-2025-46316
- CVE-2024-43398
- CVE-2024-49761
- CVE-2025-6442
- CVE-2025-43493
- CVE-2025-43503
- CVE-2025-43502
- CVE-2025-43406
- CVE-2025-43404
- CVE-2025-43339
- CVE-2025-43500
- CVE-2025-43335
- CVE-2025-43408
- CVE-2025-43476
- CVE-2025-30465
- CVE-2025-43414
- CVE-2025-43473
- CVE-2025-43499
- CVE-2025-43380
- CVE-2025-43477
- CVE-2025-43399
- CVE-2025-43336
- CVE-2025-43397
- CVE-2025-43409
- CVE-2025-43351
- CVE-2025-43463
- CVE-2025-32462
- CVE-2025-43334
- CVE-2025-43412
- CVE-2025-53906
- CVE-2025-43480
- CVE-2025-43458
- CVE-2025-43430
- CVE-2025-43427
- CVE-2025-43443
- CVE-2025-43441
- CVE-2025-43435
- CVE-2025-43425
- CVE-2025-43440
- CVE-2025-43438
- CVE-2025-43457
- CVE-2025-43434
- CVE-2025-43433
- CVE-2025-43431
- CVE-2025-43432
- CVE-2025-43429
- CVE-2025-43421
- CVE-2025-43392
- CVE-2025-43373
- CVE-2025-43402
- CVE-2025-43472
Frequently Asked Questions
1
What is the severity of CVE-2025-53906?
The severity of CVE-2025-53906 is considered low due to the requirement of direct user interaction for exploitation.
2
How do I fix CVE-2025-53906?
To fix CVE-2025-53906, users should upgrade to Vim version 9.1.1551 or later.
3
What type of vulnerability is CVE-2025-53906?
CVE-2025-53906 is a path traversal vulnerability that affects the zip.vim plugin in Vim.
4
Which versions of Vim are affected by CVE-2025-53906?
Vim versions prior to 9.1.1551 are affected by CVE-2025-53906.
5
What is the impact of CVE-2025-53906?
The impact of CVE-2025-53906 is low, as it requires the user to open specially crafted zip archives for exploitation.