Neovim Lua `package.path` Security Flaw: `./?.lua` Path Enables Arbitrary Code Execution

A critical security vulnerability in Neovim's default Lua configuration allows for arbitrary code execution when the editor is launched from an untrusted directory. The flaw stems from the default `package.path` search order, which prioritizes `./?.lua`—meaning `require()` will load modules from the current working directory before checking the standard runtime path. This design enables an attacker to hijack common module calls simply by placing a malicious `.lua` file in a directory, executing their code the moment a victim runs `nvim` there.

The vulnerability facilitates two primary attack vectors. First, it allows for arbitrary code execution, as any plugin call to `require("modulename")` will load a malicious `modulename.lua` file from the current directory instead of the legitimate plugin module. Second, it enables module hijacking, where attackers can intercept common library names like `notify`, `json`, `utils`, or `async`. The exploit is silent and potent, executing before any user configuration or security measures can intervene, effectively bypassing standard safeguards.

This flaw represents a significant supply chain risk for developers and system administrators who use Neovim in varied environments, including shared workspaces or when navigating downloaded project directories. The issue prompts immediate scrutiny of Neovim's default security posture for Lua plugin loading and raises broader questions about safe defaults in extensible developer tools. Mitigation likely requires users to modify their `package.path` or for the Neovim project to reconsider this default search order in future releases.