Vim/Neovim Arbitrary Code Execution via Modelines
Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file. The modeline feature allows to specify custom editor options near the start or end of a file. [3]
Thus, one can trivially construct a modeline that runs code outside the sandbox:
An additional step is needed for Neovim which blacklists : [4]
Here, can be used instead, which takes a argument, too: [5]
The following modeline utilizes a fold expression to run to execute the current file, which in turn executes as a shell command:
Additionally, the Neovim-only function is vulnerable to the same approach via e.g.:
Beyond patching, it’s recommended to disable modelines in the vimrc ( ), to use the securemodelines plugin, or to disable (since patch 8.1.1366, Vim-only) to disallow expressions in modelines.
Source: github.com