CVE-2025-55157

Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1400, When processing nested tuples in Vim script, an error during evaluation can trigger a use-after-free in Vim’s internal tuple reference management. Specifically, the tuple_unref() function may access already freed memory due to improper lifetime handling, leading to memory corruption. The exploit requires direct user interaction, as the script must be explicitly executed within Vim. This issue has been patched in version 9.1.1400.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/vim/vim/commit/1307743697bbc46e1518abfea7f89caa95bcaf97	Patch
https://github.com/vim/vim/releases/tag/v9.1.1400	Patch
https://github.com/vim/vim/security/advisories/GHSA-3r4f-mm4w-wgg6	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-11 23:15

Updated : 2025-08-12 18:50

NVD link : CVE-2025-55157

Mitre link : CVE-2025-55157

CVE.ORG link : CVE-2025-55157

JSON object : View

Products Affected

vim

vim

CWE

CWE-416

Use After Free

{"id": "CVE-2025-55157", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-11T23:15:27.870", "references": [{"url": "https://github.com/vim/vim/commit/1307743697bbc46e1518abfea7f89caa95bcaf97", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/vim/vim/releases/tag/v9.1.1400", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-3r4f-mm4w-wgg6", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1400, When processing nested tuples in Vim script, an error during evaluation can trigger a use-after-free in Vim\u2019s internal tuple reference management. Specifically, the tuple_unref() function may access already freed memory due to improper lifetime handling, leading to memory corruption. The exploit requires direct user interaction, as the script must be explicitly executed within Vim. This issue has been patched in version 9.1.1400."}, {"lang": "es", "value": "Vim es un editor de texto de l\u00ednea de comandos de c\u00f3digo abierto. En versiones desde la 9.1.1231 hasta anteriores a la 9.1.1400, al procesar tuplas anidadas en un script de Vim, un error durante la evaluaci\u00f3n pod\u00eda provocar un error de use after free en la gesti\u00f3n interna de referencias de tuplas de Vim. En concreto, la funci\u00f3n tuple_unref() pod\u00eda acceder a memoria ya liberada debido a una gesti\u00f3n incorrecta del tiempo de vida, lo que provocaba corrupci\u00f3n de memoria. Este exploit requiere la interacci\u00f3n directa del usuario, ya que el script debe ejecutarse expl\u00edcitamente en Vim. Este problema se ha corregido en la versi\u00f3n 9.1.1400."}], "lastModified": "2025-08-12T18:50:20.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6E42AE7-7DBA-4536-89D7-0CCF544BD0AE", "versionEndExcluding": "9.1.1400", "versionStartIncluding": "9.1.1231"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}