cbcvebase.
CVE-2025-1244
published 2025-02-12

CVE-2025-1244: A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a…

PriorityP263high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
2.68%
83.9th percentile
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianemacs< emacs 1:28.2+1-15+deb12u4 (bookworm)emacs 1:28.2+1-15+deb12u4 (bookworm)
gnuemacs>= 0 < 1:27.1+1-3.1+deb11u61:27.1+1-3.1+deb11u6
gnuemacs>= 0 < 1:28.2+1-15+deb12u41:28.2+1-15+deb12u4
gnuemacs>= 0 < 1:30.1+1-11:30.1+1-1
gnuemacs>= 0 < 1:30.1+1-11:30.1+1-1
gnuemacs>= 0 < 1:26.3+1-1ubuntu2+esm21:26.3+1-1ubuntu2+esm2
gnuemacs>= 0 < 1:27.1+1-3ubuntu5.2+esm11:27.1+1-3ubuntu5.2+esm1
gnuemacs>= 0 < 1:29.3+1-1ubuntu2+esm31:29.3+1-1ubuntu2+esm3
msrcazl3_emacs_29.4-2_on_azure_linux_3.0
msrcazl3_emacs_29.4-3_on_azure_linux_3.0
msrccbl2_emacs_29.4-2_on_cbl_mariner_2.0
msrccbl2_emacs_29.4-3_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation vector involves a custom 'man' URI scheme in Emacs; monitor for Emacs processes spawned via man:// URI handling that invoke shell commands unexpectedly.
  • Exploitation can be triggered by a user visiting a specially crafted HTTP URL with a redirect that resolves to a malicious man URI; monitor web proxy/DNS logs for man:// scheme redirects delivered over HTTP.
  • Emacs did not properly sanitize input when handling certain URI schemes; alert on Emacs child processes (e.g., /bin/sh, bash) spawned as children of the emacs process, which may indicate shell injection via URI handling.
  • ·Exploitation requires user interaction — a user must be tricked into visiting a malicious website, HTTP URL with redirect, or opening a crafted URI resource in Emacs; this limits the attack surface to interactive Emacs sessions.
  • ·No mitigation exists without disabling core Emacs functionality; the recommended risk reduction is to avoid opening untrusted files, websites, HTTP URLs, or other URI resources with Emacs.
  • ·Red Hat Enterprise Linux 10 is listed as Not Affected; RHEL 6 is out of support scope. Patch status varies significantly by distribution — verify the specific distro/version before assuming exposure.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu7.8HIGH
vendor_cisco6.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.