[chrismorgan]

I suspect that if you asked ten Vim developers where they’d start looking for this kind of security issue, at least nine of them would say “modeline” (and if one didn’t, it would just be because they forgot about the feature, and would change their answer to that as soon as you mentioned it). There’s a reason popular configurations have disabled it from time immemorial.

As for the Emacs thing, it feels utterly unfair to blame Emacs. The issue is 100% Git, and it’s unreasonable and undesirable for things like Emacs to try to put guard rails around parts of its functionality. Especially guard rails that may harm functionality. They were right to decline the suggested patch.

I don’t know how the sessions actually ran, but the Vim one probably started with “low-hanging fruit, let’s start by seeing if modeline has accidentally become insecure yet again”, and the emacs with “meh, don’t know anything offhand, before delving into code let’s see if… ooh look it runs Git, so can we apply the ol’ fsmonitor chestnut there?”

[ploxiln]

Yup, I've had "nomodeline" in my vimrc for years. I used to add the "securemodelines" plugin https://www.vim.org/scripts/script.php?script_id=1876 but just recently removed that too (I think I may have ran into an annoyance after a vim update, and decided I never really use automatic modeline support anyway)

[lloeki]

> We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned.

Yeah reading the above opening paragraph I was immediately going "oh Claude found out about modelines"

modelines are largely considered a (roundabout) equivalent to flat out eval, There's a reason plugins such as securemodelines exist:

https://www.vim.org/scripts/script.php?script_id=1876

[johnisgood]

Right. I am surprised to see this considered to be an RCE. Or a "mad bug" worthy of being here on HN. sighs.

Pretty sure a lot of people have spent lots of tokens into finding RCEs in vim and emacs, he is not the first person to do this.