ALAS2023-2025-1138

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1138
Advisory Released Date: 2025-08-18
Advisory Updated Date: 2025-08-18

Severity: Medium

References: CVE-2025-53905 CVE-2025-53906
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim's tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability. (CVE-2025-53905)

Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim's zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability. (CVE-2025-53906)

Affected Packages:

vim

Issue Correction:
Run dnf update vim --releasever 2023.8.20250818 or dnf update --advisory ALAS2023-2025-1138 --releasever 2023.8.20250818 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    vim-enhanced-debuginfo-9.1.1591-1.amzn2023.0.1.aarch64
    xxd-9.1.1591-1.amzn2023.0.1.aarch64
    vim-debuginfo-9.1.1591-1.amzn2023.0.1.aarch64
    xxd-debuginfo-9.1.1591-1.amzn2023.0.1.aarch64
    vim-minimal-9.1.1591-1.amzn2023.0.1.aarch64
    vim-minimal-debuginfo-9.1.1591-1.amzn2023.0.1.aarch64
    vim-enhanced-9.1.1591-1.amzn2023.0.1.aarch64
    vim-debugsource-9.1.1591-1.amzn2023.0.1.aarch64
    vim-common-9.1.1591-1.amzn2023.0.1.aarch64

noarch:
    vim-data-9.1.1591-1.amzn2023.0.1.noarch
    vim-default-editor-9.1.1591-1.amzn2023.0.1.noarch
    vim-filesystem-9.1.1591-1.amzn2023.0.1.noarch

src:
    vim-9.1.1591-1.amzn2023.0.1.src

x86_64:
    vim-enhanced-debuginfo-9.1.1591-1.amzn2023.0.1.x86_64
    vim-debuginfo-9.1.1591-1.amzn2023.0.1.x86_64
    vim-minimal-debuginfo-9.1.1591-1.amzn2023.0.1.x86_64
    xxd-9.1.1591-1.amzn2023.0.1.x86_64
    vim-debugsource-9.1.1591-1.amzn2023.0.1.x86_64
    vim-enhanced-9.1.1591-1.amzn2023.0.1.x86_64
    xxd-debuginfo-9.1.1591-1.amzn2023.0.1.x86_64
    vim-minimal-9.1.1591-1.amzn2023.0.1.x86_64
    vim-common-9.1.1591-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-53905, CVE-2025-53906

Mitre: CVE-2025-53905, CVE-2025-53906