Technical Advisory: Shell Injection in MacVim mvim URI Handler

Vendor: macvim-dev
Vendor URL:
Versions affected: snapshot-110
Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust>
Bug discovery credit: Anonymous
Advisory URL / CVE Identifier: TBD
Risk: Critical


MacVim is a Mac OS port of Vim.

MacVim is vulnerable to shell injection in mvim:// URIs through the column parameter, allowing attacks through a variety of means, including through malicious web pages.


Attackers can execute arbitrary shell commands as the logged-in user when that user visits an attacker-controlled web page or clicks an attacker-provided link.




MacVim is vulnerable to a shell injection attack in its handling of ‘mvim’ URLs. Shell injection is a class of vulnerability where an attacker can change the nature of executed shell commands through malformed input.


As no patch is available, discontinue use of MacVim or disable the mvim:// URI scheme using RCDefaultApp until a patch is made available.

Vendor Communication

2016-10-06 - Emailed MacVim asking for security contact address
   using email listed on github repo
2016-11-02 - Emailed MacVim asking for security contact address
   using email addresses for owner accounts listed on github
2016-12-08 - Sent final notice of public disclosure including
   full advisory details and proof of concept exploit, providing
   a planned disclosure date of December 15th, 2016.
2016-12-08 - Response from MacVim received acknowledging the
   email and promising to look into the bug
2017-01-16 - Asked for update from MacVim
2017-02-15 - Moved to accelerated disclosure due to unresponsive

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  24 February 2017

comments powered by Disqus

Filter By Service

Filter By Type