CVE-2025-1244
published 2025-02-12CVE-2025-1244: A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a…
PriorityP263high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
2.68%
83.9th percentile
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | emacs | < emacs 1:28.2+1-15+deb12u4 (bookworm) | emacs 1:28.2+1-15+deb12u4 (bookworm) |
| gnu | emacs | >= 0 < 1:27.1+1-3.1+deb11u6 | 1:27.1+1-3.1+deb11u6 |
| gnu | emacs | >= 0 < 1:28.2+1-15+deb12u4 | 1:28.2+1-15+deb12u4 |
| gnu | emacs | >= 0 < 1:30.1+1-1 | 1:30.1+1-1 |
| gnu | emacs | >= 0 < 1:30.1+1-1 | 1:30.1+1-1 |
| gnu | emacs | >= 0 < 1:26.3+1-1ubuntu2+esm2 | 1:26.3+1-1ubuntu2+esm2 |
| gnu | emacs | >= 0 < 1:27.1+1-3ubuntu5.2+esm1 | 1:27.1+1-3ubuntu5.2+esm1 |
| gnu | emacs | >= 0 < 1:29.3+1-1ubuntu2+esm3 | 1:29.3+1-1ubuntu2+esm3 |
| msrc | azl3_emacs_29.4-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_emacs_29.4-3_on_azure_linux_3.0 | — | — |
| msrc | cbl2_emacs_29.4-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_emacs_29.4-3_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation vector involves a custom 'man' URI scheme in Emacs; monitor for Emacs processes spawned via man:// URI handling that invoke shell commands unexpectedly. ↗
- →Exploitation can be triggered by a user visiting a specially crafted HTTP URL with a redirect that resolves to a malicious man URI; monitor web proxy/DNS logs for man:// scheme redirects delivered over HTTP. ↗
- →Emacs did not properly sanitize input when handling certain URI schemes; alert on Emacs child processes (e.g., /bin/sh, bash) spawned as children of the emacs process, which may indicate shell injection via URI handling. ↗
- ·Exploitation requires user interaction — a user must be tricked into visiting a malicious website, HTTP URL with redirect, or opening a crafted URI resource in Emacs; this limits the attack surface to interactive Emacs sessions. ↗
- ·No mitigation exists without disabling core Emacs functionality; the recommended risk reduction is to avoid opening untrusted files, websites, HTTP URLs, or other URI resources with Emacs. ↗
- ·Red Hat Enterprise Linux 10 is listed as Not Affected; RHEL 6 is out of support scope. Patch status varies significantly by distribution — verify the specific distro/version before assuming exposure. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu7.8HIGH
vendor_cisco6.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
emacs vulnerabilities
osv·2026-02-04·CVSS 7.8
CVE-2024-53920 [HIGH] emacs vulnerabilities
emacs vulnerabilities
It was discovered that Emacs could trigger unsafe Lisp macro expansion,
when a user invoked elisp-completion-at-point on untrusted Emacs Lisp
source code. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-53920)
It was discovered that Emacs did not properly sanitize input when
handling certain URI schemes. An attacker could possibly use this issue
to execute arbitrary shell commands by tricking a user into opening a
specially crafted URL. (CVE-2025-1244)
GHSA
GHSA-gghq-qp34-gqg8: A flaw was found in the Emacs text editor
ghsa_unreviewed·2025-02-12
CVE-2025-1244 [HIGH] CWE-78 GHSA-gghq-qp34-gqg8: A flaw was found in the Emacs text editor
A flaw was found in the Emacs text editor. Improper handling of custom "man" URI schemes allows attackers to execute arbitrary shell commands by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
OSV
CVE-2025-1244: A command injection flaw was found in the text editor Emacs
osv·2025-02-12·CVSS 8.8
CVE-2025-1244 [HIGH] CVE-2025-1244: A command injection flaw was found in the text editor Emacs
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
Fortinet
Restricted CLI escape using Lua
vendor_fortinet·2026-06-09·CVSS 6.7
CVE-2025-67862 [MEDIUM] CWE-1244 Restricted CLI escape using Lua
FG-IR-26-143: Restricted CLI escape using Lua
An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0 all versions may allow an authenticated admin to execute lua scripts via crafted CLI commands.
CVEs: CVE-2025-67862
CWEs: CWE-1244
CVSS: 6.7 (medium)
Affected products: FortiOS, FortiProxy, Fortinet
Ubuntu
Emacs vulnerabilities
vendor_ubuntu·2026-02-04·CVSS 7.8
CVE-2025-1244 [HIGH] Emacs vulnerabilities
Title: Emacs vulnerabilities
Summary: Several security issues were fixed in Emacs.
It was discovered that Emacs could trigger unsafe Lisp macro expansion,
when a user invoked elisp-completion-at-point on untrusted Emacs Lisp
source code. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-53920)
It was discovered that Emacs did not properly sanitize input when
handling certain URI schemes. An attacker could possibly use this issue
to execute arbitrary shell commands by tricking a user into opening a
specially crafted URL. (CVE-2025-1244)
Instructions: In general, a standard system update will make all the necessary changes.
Cisco
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerabilities
vendor_cisco·2025-08-14·CVSS 6.0
CVE-2025-20237 [MEDIUM] CWE-1244 Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerabilities
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerabilities
Multiple vulnerabilities in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
These vulnerabilities are due to insufficient input validation of commands that are supplied by the user. An attacker could exploit these vulnerabilities by authenticating to a device and submitting crafted input for specific commands. A successful exploit could allow the attac
Red Hat
emacs: Shell Injection Vulnerability in GNU Emacs via Custom "man" URI Scheme
vendor_redhat·2025-02-12·CVSS 8.8
CVE-2025-1244 [HIGH] CWE-78 emacs: Shell Injection Vulnerability in GNU Emacs via Custom "man" URI Scheme
emacs: Shell Injection Vulnerability in GNU Emacs via Custom "man" URI Scheme
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
Statement: To exploit this flaw, an attacker needs to trick a user into visiting a specially crafted website, an HTTP URL with a redirect or in
Microsoft
Emacs: shell injection vulnerability in gnu emacs via custom "man" uri scheme
vendor_msrc·2025-02-11·CVSS 8.8
CVE-2025-1244 [HIGH] CWE-78 Emacs: shell injection vulnerability in gnu emacs via custom "man" uri scheme
Emacs: shell injection vulnerability in gnu emacs via custom "man" uri scheme
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Debian
CVE-2025-1244: emacs - A command injection flaw was found in the text editor Emacs. It could allow a re...
vendor_debian·2025·CVSS 8.8
CVE-2025-1244 [HIGH] CVE-2025-1244: emacs - A command injection flaw was found in the text editor Emacs. It could allow a re...
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
Scope: local
bookworm: resolved (fixed in 1:28.2+1-15+deb12u4)
bullseye: resolved (fixed in 1:27.1+1-3.1+deb11u6)
forky: resolved (fixed in 1:30.1+1-1)
sid: resolved (fixed in 1:30.1+1-1)
trixie: resolved (fixed in 1:30.1+1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://access.redhat.com/errata/RHSA-2025:1915https://access.redhat.com/errata/RHSA-2025:1917https://access.redhat.com/errata/RHSA-2025:1961https://access.redhat.com/errata/RHSA-2025:1962https://access.redhat.com/errata/RHSA-2025:1963https://access.redhat.com/errata/RHSA-2025:1964https://access.redhat.com/errata/RHSA-2025:2022https://access.redhat.com/errata/RHSA-2025:2130https://access.redhat.com/errata/RHSA-2025:2157https://access.redhat.com/errata/RHSA-2025:2195https://access.redhat.com/errata/RHSA-2025:2754https://access.redhat.com/security/cve/CVE-2025-1244https://bugzilla.redhat.com/show_bug.cgi?id=2345150https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062fhttp://www.openwall.com/lists/oss-security/2025/03/01/2https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1https://lists.debian.org/debian-lts-announce/2025/02/msg00033.html
2025-02-12
Published