Vim/Neovim Arbitrary Code Execution via Modelines

Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file. The modeline feature allows to specify custom editor options near the start or end of a file. [3]

Thus, one can trivially construct a modeline that runs code outside the sandbox:

An additional step is needed for Neovim which blacklists : [4]

Here, can be used instead, which takes a argument, too: [5]

The following modeline utilizes a fold expression to run to execute the current file, which in turn executes as a shell command:

Additionally, the Neovim-only function is vulnerable to the same approach via e.g.:

Beyond patching, it’s recommended to disable modelines in the vimrc ( ), to use the securemodelines plugin, or to disable (since patch 8.1.1366, Vim-only) to disallow expressions in modelines.

Source: github.com