Arbitrary code execution via crafted PHP file in omni-completion
Summary
A flaw was found in Vim, an open-source command-line text editor. The PHP omni-completion script improperly handles specially crafted input. When a victim opens a malicious PHP file and invokes omni-completion, an unescaped class or trait name can be interpreted as Ex commands. This allows a remote attacker to achieve arbitrary operating-system command execution. Red Hat Product Security has rated this vulnerability as having a Moderate impact. The requirement for a non-default configuration, combined with mandatory user interaction, significantly reduces the real-world risk." Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). Weakness: CWE-94. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Red Hat Hardened Images; Red Hat OpenShift Container Platform 4. Red Hat does not currently list a fixing RHSA for this CVE.
Mitigation checklist
- Users should exercise caution when opening untrusted PHP files and avoid invoking omni-completion on them. To prevent exploitation, the PHP omni-completion script can be disabled by moving or renaming `phpcomplete.vim`. For example, execute `mv /usr/share/vim/vim*/autoload/phpcomplete.vim /usr/share/vim/vim*/autoload/phpcomplete.vim.bak`. This action will disable PHP omni-completion functionality. A restart of Vim is necessary for this change to take effect.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.