A security researcher used Anthropic's Claude to discover remote code execution (RCE) vulnerabilities in two of the most widely-used text editors in the world: Vim and GNU Emacs. Both bugs can be triggered just by opening a file - no other user interaction required.
RCE means an attacker can run arbitrary commands on your machine. In this case, opening the wrong file in either editor could give an attacker full control with whatever permissions your user account has.
The Vim Bug: Malicious Modelines
Vim has a feature called modelines - special comments you can embed in a file that tell Vim how to display it (tab width, syntax highlighting, etc.). The vulnerability, discovered by researcher Hung Nguyen, exploits missing security checks in how Vim processes these modeline instructions.
A specially crafted file could include modeline commands that escape the intended sandbox and execute arbitrary code the moment you open the file. Vim versions 9.2.0271 and earlier are affected. A patch is already available in version 9.2.0272.
As Nguyen put it: "An attacker who can deliver a crafted file to a victim achieves arbitrary command execution with the privileges of the user running Vim."
The Emacs Bug: Hidden .git Directories
The Emacs vulnerability takes a different attack path. Emacs has built-in version control integration that automatically runs Git operations when you open files. If you extract an archive that contains a hidden .git/ directory with a malicious configuration, Emacs will read that config and execute whatever program is specified in Git's core.fsmonitor setting - all without asking.
The attack scenario: someone sends you a zip file containing project files plus a hidden .git folder with a payload. You extract it, open any text file in Emacs, and the malicious code runs automatically.
This one is more concerning because it remains unpatched. The Emacs maintainers consider this Git's problem, not theirs. Their suggested mitigation is to explicitly block core.fsmonitor in Git calls, but no official fix has been released.
AI as a Security Research Tool
The interesting angle here is the method. Nguyen found both vulnerabilities by prompting Claude to analyze these editors for potential RCE zero-days. Claude identified the attack vectors, then generated working proof-of-concept exploits that were refined through follow-up prompts.
This is not AI hallucinating theoretical vulnerabilities. These are real, confirmed bugs in software that millions of developers use daily. Vim has been around since 1991, Emacs since 1976. These codebases have been reviewed by thousands of developers over decades, and an AI found exploitable flaws through what amounts to a focused conversation.
For anyone running Vim, update to 9.2.0272 or later immediately. For Emacs users, be cautious about extracting archives from untrusted sources, and consider adding core.fsmonitor blocking to your Git configuration until an official fix ships.