Full Report
Vulnerabilities in the Vim and GNU Emacs text editors, discovered using simple prompts with the Claude assistant, allow remote code execution simply by opening a file. [...]
Analysis Summary
# Vulnerability: AI-Discovered RCE via Modeline and Version Control in Vim and Emacs
## CVE Details
- **CVE ID**:
- **Vim**: [GHSA-2gmj-rpqf-pxvh] (Note: Article states no CVE ID currently assigned; refer to GitHub Security Advisory).
- **Emacs**: None assigned (Currently disputed by maintainers).
- **CVSS Score**: Not officially rated (Estimated high severity due to RCE).
- **CWE**:
- Vim: CWE-20 (Improper Input Validation), CWE-265 (Privilege/Sandbox Bypass).
- Emacs: CWE-88 (Argument Injection) / Improper handling of untrusted configurations.
## Affected Systems
- **Products**: Vim Text Editor, GNU Emacs Text Editor.
- **Versions**:
- **Vim**: Version 9.2.0271 and earlier.
- **GNU Emacs**: Current latest versions (Unpatched).
- **Configurations**:
- **Vim**: Files containing malicious "modelines" (text at the start of a file that sets editor options).
- **Emacs**: `vc-git` enabled (default); opening a file within a directory containing a malicious `.git/config`.
## Vulnerability Description
### Vim
The flaw involves missing security checks within Vim's modeline handling. An attacker can embed specific commands in a file's header (modeline) that Vim normally sandboxes. However, a bypass allows these commands to escape the sandbox and execute in the context of the user opening the file.
### GNU Emacs
The flaw resides in Emacs' Version Control integration (`vc-git`). When a file is opened, Emacs calls `vc-refresh-state`, which invokes Git operations. Git, in turn, reads the local `.git/config` file. If an attacker provides a crafted `.git` directory, they can set the `core.fsmonitor` parameter to point to a malicious script, which Emacs triggers automatically without user interaction.
## Exploitation
- **Status**: PoC available (developed and refined by Claude AI).
- **Complexity**: Low.
- **Attack Vector**: Local (File-based/Social Engineering). Triggered by opening a crafted file or extracting an archive containing a hidden `.git` directory.
## Impact
- **Confidentiality**: High (Full access to user files/environment).
- **Integrity**: High (Ability to modify files and system states).
- **Availability**: High (Ability to crash the system or delete data).
## Remediation
### Patches
- **Vim**: Update to **Vim version 9.2.0272** or later.
- **GNU Emacs**: No patch currently available from the vendor.
### Workarounds
- **Vim**: Disable modelines by adding `set nomodeline` to your `.vimrc` file.
- **GNU Emacs**:
- Avoid opening files from untrusted sources or archives.
- Be cautious of directories containing unexpected `.git` folders.
- Potentially disable `vc-mode` or specific Git integrations in Emacs configuration.
## Detection
- **Indicators of Compromise**:
- Files containing unusual or complex modeline strings in the first/last few lines.
- Presence of hidden `.git/config` files in downloaded archives setting the `core.fsmonitor` option.
- **Detection Methods**:
- Scan for `core.fsmonitor` within `.git/config` files in untrusted directories.
- Monitor for unexpected child processes (e.g., shells, network tools) spawned by `vim` or `emacs`.
## References
- **Calif Research Blog**: hxxps[://]blog[.]calif[.]io/p/mad-bugs-vim-vs-emacs-vs-claude
- **Vim Security Advisory**: hxxps[://]github[.]com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
- **Emacs/Git Technical Breakdown**: hxxps[://]github[.]com/califio/publications/blob/main/MADBugs/vim-vs-emacs-vs-claude/Emacs[.]md