CVE-2025-1244

Summary

A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

Affected Software

VendorProductVersion RangeStatus
0 < 29.4.0affected
Red HatRed Hat Enterprise Linux 7 Extended Lifecycle Support1:24.3-23.el7_9.2 < *unaffected
Red HatRed Hat Enterprise Linux 81:26.1-13.el8_10 < *unaffected
Red HatRed Hat Enterprise Linux 81:26.1-13.el8_10 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Support1:26.1-5.el8_2.3 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support1:26.1-5.el8_4.3 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Telecommunications Update Service1:26.1-5.el8_4.3 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Update Services for SAP Solutions1:26.1-5.el8_4.3 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support1:26.1-7.el8_6.6 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Telecommunications Update Service1:26.1-7.el8_6.6 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions1:26.1-7.el8_6.6 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support1:26.1-10.el8_8.7 < *unaffected
Red HatRed Hat Enterprise Linux 91:27.2-11.el9_5.1 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions1:27.2-6.el9_0.2 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support1:27.2-8.el9_2.2 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support1:27.2-10.el9_4.1 < *unaffected
Red HatBuilds for Red Hat OpenShift 1.3.21.3.1-1741784043 < *unaffected

Weaknesses

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Workarounds

There is no an existing or known mitigation for this issue without disabling part of the Emacs core functionality. However, by avoiding opening or view untrusted files, websites, HTTP URLs or other URI resources with Emacs would reduce or prevent the risk of performing this attack successfully.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References