CVE-2025-29768: 
Vim vulnerability analysis and mitigation

Vim, a text editor, was found to be vulnerable to potential data loss through its zip.vim plugin in versions prior to 9.1.1198. The vulnerability was discovered on March 12, 2025, and involves specially crafted zip files that could lead to unintended data extraction (GitHub Advisory, NVD).

The vulnerability exists in the zip.vim plugin's handling of zip archives containing files with names starting with '-'. When extracting such files, Vim uses the unzip command without properly sanitizing filenames, which could lead to argument injection. The issue received a CVSS v3.1 base score of 4.4 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating local attack vector, low attack complexity, no privileges required, and required user interaction (GitHub Advisory, Snyk).

The vulnerability could result in potential data loss when a user views a maliciously crafted zip archive and attempts to extract files. If an attacker creates an archive containing a file named '-d/tmp' and a user tries to extract it, the unzip command could interpret the filename as an argument, potentially leading to unintended file extraction and overwriting of existing files (GitHub Advisory).

The vulnerability has been fixed in Vim patch v9.1.1198. The fix implements a workaround using the '[-]' glob pattern to protect filenames starting with '-' from being interpreted as command arguments. Users are advised to upgrade to version 9.1.1198 or later (GitHub Commit).