Vim & Emacs 被 Claude 模型发现 RCE 漏洞
- 内容介绍
- 文章标签
- 相关推荐
MAD Bugs: vim vs emacs vs Claude
We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an RCE there too.
[!quote]+
该漏洞根据安全通报 GHSA-2gmj-rpqf-pxvh 进行跟踪,并立即得到修补。强烈建议系统管理员和用户将其环境升级到 Vim 版本 9.2.0172 以减轻威胁。
然而,该漏洞的披露过程出现了争议。在报告该错误后,GNU Emacs 维护者拒绝解决该安全缺陷,并正式将意外行为的根本原因归因于 Git 而不是文本编辑器本身。这使得 Emacs 用户处于不稳定的境地,直到建立社区解决方法或上游缓解措施。
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
MADBugs/vim-vs-emacs-vs-claude/vim.md
main
# Vim tabpanel modeline RCE affects Vim < 9.2.0272
## Summary
A two-bug chain in Vim allows arbitrary command execution when a user opens a crafted file. The `tabpanel` option can be set from a modeline without requiring `modelineexpr`, and its expression is later evaluated in the sandbox. That sandbox can be escaped because `autocmd_add()` does not check whether it is running in a secure context, allowing deferred execution outside the sandbox.
---
## Technical Details
The issue depends on two flaws:
1. **`tabpanel` is missing `P_MLE`**
Unlike `statusline` and `tabline`, `tabpanel` is not marked with the `P_MLE` flag. This allows a modeline to inject `%{...}` expressions even when `modelineexpr` is disabled.
2. **`autocmd_add()` lacks `check_secure()`**
Vim evaluates insecure `tabpanel` expressions in the sandbox, but `autocmd_add()` can still register autocommands there. Those autocommands execute later, after the sandbox exits.
A modeline can therefore:
- force the tab panel visible with `showtabpanel=2`
此文件已被截断。 显示原始文件
MADBugs/vim-vs-emacs-vs-claude/Emacs.md
main
# GNU Emacs: Multiple Remote Code Execution Vectors on File Open
## Summary
Opening a file in GNU Emacs can trigger arbitrary code execution through
version control (git), most requiring **zero user interaction**
beyond the file open itself. The most severe finding requires no
file-local variables at all - simply opening any file inside a directory
containing a crafted `.git/` folder executes attacker-controlled commands.
**Date:** 2026-03-29
**Tested on:**
- GNU Emacs 31.0.50 (master branch, commit 0c961b7778a)
- GNU Emacs 30.2 (build 1, aarch64-apple-darwin23.2.0, NS appkit-2487.30 Version 14.2 (Build 23C64))
---
## Technical Details
`vc-refresh-state` is unconditionally registered in `find-file-hook`
此文件已被截断。 显示原始文件
网友解答:
--【壹】--:
我看还有谁嘲笑Win11新记事本RCE(也是Markdown中的问题)
--【贰】--:
已经有佬声称用无限量codex找漏洞赚了4.5w了
--【叁】--:
手握Emacs,C-x C-c
--【肆】--:
真有神秘人下别人 .git 目录吗,,
--【伍】--:
窝要笑
--【陆】--:
强,佬
--【柒】--:
早上论坛看到了,大佬们说和Emacs关系不大,是.git的问题,其他程序也可能会触发
MAD Bugs: vim vs emacs vs Claude
We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an RCE there too.
[!quote]+
该漏洞根据安全通报 GHSA-2gmj-rpqf-pxvh 进行跟踪,并立即得到修补。强烈建议系统管理员和用户将其环境升级到 Vim 版本 9.2.0172 以减轻威胁。
然而,该漏洞的披露过程出现了争议。在报告该错误后,GNU Emacs 维护者拒绝解决该安全缺陷,并正式将意外行为的根本原因归因于 Git 而不是文本编辑器本身。这使得 Emacs 用户处于不稳定的境地,直到建立社区解决方法或上游缓解措施。
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
MADBugs/vim-vs-emacs-vs-claude/vim.md
main
# Vim tabpanel modeline RCE affects Vim < 9.2.0272
## Summary
A two-bug chain in Vim allows arbitrary command execution when a user opens a crafted file. The `tabpanel` option can be set from a modeline without requiring `modelineexpr`, and its expression is later evaluated in the sandbox. That sandbox can be escaped because `autocmd_add()` does not check whether it is running in a secure context, allowing deferred execution outside the sandbox.
---
## Technical Details
The issue depends on two flaws:
1. **`tabpanel` is missing `P_MLE`**
Unlike `statusline` and `tabline`, `tabpanel` is not marked with the `P_MLE` flag. This allows a modeline to inject `%{...}` expressions even when `modelineexpr` is disabled.
2. **`autocmd_add()` lacks `check_secure()`**
Vim evaluates insecure `tabpanel` expressions in the sandbox, but `autocmd_add()` can still register autocommands there. Those autocommands execute later, after the sandbox exits.
A modeline can therefore:
- force the tab panel visible with `showtabpanel=2`
此文件已被截断。 显示原始文件
MADBugs/vim-vs-emacs-vs-claude/Emacs.md
main
# GNU Emacs: Multiple Remote Code Execution Vectors on File Open
## Summary
Opening a file in GNU Emacs can trigger arbitrary code execution through
version control (git), most requiring **zero user interaction**
beyond the file open itself. The most severe finding requires no
file-local variables at all - simply opening any file inside a directory
containing a crafted `.git/` folder executes attacker-controlled commands.
**Date:** 2026-03-29
**Tested on:**
- GNU Emacs 31.0.50 (master branch, commit 0c961b7778a)
- GNU Emacs 30.2 (build 1, aarch64-apple-darwin23.2.0, NS appkit-2487.30 Version 14.2 (Build 23C64))
---
## Technical Details
`vc-refresh-state` is unconditionally registered in `find-file-hook`
此文件已被截断。 显示原始文件
网友解答:
--【壹】--:
我看还有谁嘲笑Win11新记事本RCE(也是Markdown中的问题)
--【贰】--:
已经有佬声称用无限量codex找漏洞赚了4.5w了
--【叁】--:
手握Emacs,C-x C-c
--【肆】--:
真有神秘人下别人 .git 目录吗,,
--【伍】--:
窝要笑
--【陆】--:
强,佬
--【柒】--:
早上论坛看到了,大佬们说和Emacs关系不大,是.git的问题,其他程序也可能会触发