CVE-2025-1244 - Vulnerability Details

A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00207.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat Subscribe	Enterprise Linux Subscribe Openshift Builds Subscribe Rhel Aus Subscribe Rhel E4s Subscribe Rhel Els Subscribe Rhel Eus Subscribe Rhel Tus Subscribe

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
emacs-1:24.3-23.el7_9.2	cpe:/o:redhat:rhel_els:7	RHSA-2025:2130	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 8
emacs-1:26.1-13.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:1917	2025-02-27T00:00:00Z
emacs-1:26.1-13.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2025:1917	2025-02-27T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
emacs-1:26.1-5.el8_2.3	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:2157	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
emacs-1:26.1-5.el8_4.3	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:1963	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
emacs-1:26.1-5.el8_4.3	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:1963	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
emacs-1:26.1-5.el8_4.3	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:1963	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
emacs-1:26.1-7.el8_6.6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:1961	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
emacs-1:26.1-7.el8_6.6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:1961	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
emacs-1:26.1-7.el8_6.6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:1961	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
emacs-1:26.1-10.el8_8.7	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:1962	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 9
emacs-1:27.2-11.el9_5.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:1915	2025-02-27T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
emacs-1:27.2-6.el9_0.2	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:2022	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
emacs-1:27.2-8.el9_2.2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:1964	2025-03-03T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
emacs-1:27.2-10.el9_4.1	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:2195	2025-03-04T00:00:00Z
Builds for Red Hat OpenShift 1.3.2
registry.redhat.io/openshift-builds/openshift-builds-git-cloner-rhel9:sha256:dc839b2217a61a4ac07cefecc0b5a0cf8c907d7b7114ca15b5ca368f57de921a	cpe:/a:redhat:openshift_builds:1.3::el9	RHSA-2025:2754	2025-03-13T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-4069-1	emacs security update
Debian DSA	DSA-5871-1	emacs security update
EUVD	EUVD-2025-2098	A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

Fixes

Solution

No solution given by the vendor.

Workaround

There is no an existing or known mitigation for this issue without disabling part of the Emacs core functionality. However, by avoiding opening or view untrusted files, websites, HTTP URLs or other URI resources with Emacs would reduce or prevent the risk of performing this attack successfully.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/03/01/2
https://access.redhat.com/errata/RHSA-2025:1915
https://access.redhat.com/errata/RHSA-2025:1917
https://access.redhat.com/errata/RHSA-2025:1961
https://access.redhat.com/errata/RHSA-2025:1962
https://access.redhat.com/errata/RHSA-2025:1963
https://access.redhat.com/errata/RHSA-2025:1964
https://access.redhat.com/errata/RHSA-2025:2022
https://access.redhat.com/errata/RHSA-2025:2130
https://access.redhat.com/errata/RHSA-2025:2157
https://access.redhat.com/errata/RHSA-2025:2195
https://access.redhat.com/errata/RHSA-2025:2754
https://access.redhat.com/security/cve/CVE-2025-1244
https://bugzilla.redhat.com/show_bug.cgi?id=2345150
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1
https://lists.debian.org/debian-lts-announce/2025/02/msg00033.html
https://nvd.nist.gov/vuln/detail/CVE-2025-1244
https://www.cve.org/CVERecord?id=CVE-2025-1244

History

Tue, 04 Nov 2025 06:30:00 +0900

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/02/msg00033.html

Wed, 08 Oct 2025 23:00:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:rhivos:1~~
Vendors & Products	Redhat rhivos

Sat, 04 Oct 2025 02:30:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhivos
CPEs		cpe:/o:redhat:rhivos:1
Vendors & Products		Redhat rhivos

Wed, 16 Jul 2025 22:45:00 +0900

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00102}`	epss `{'score': 0.00111}`

Sat, 12 Jul 2025 22:45:00 +0900

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00081}`	epss `{'score': 0.00102}`

Fri, 11 Jul 2025 22:45:00 +0900

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00204}`	epss `{'score': 0.00081}`

Thu, 22 May 2025 20:30:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10

Thu, 13 Mar 2025 22:30:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Builds
CPEs		cpe:/a:redhat:openshift_builds:1.3::el9
Vendors & Products		Redhat openshift Builds
References		https://access.redhat.com/errata/RHSA-2025:2754

Wed, 05 Mar 2025 00:30:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.4

Tue, 04 Mar 2025 17:15:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.4::appstream
References		https://access.redhat.com/errata/RHSA-2025:2195

Tue, 04 Mar 2025 12:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2

Tue, 04 Mar 2025 05:00:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs	~~cpe:/o:redhat:enterprise_linux:7~~	cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els
References		https://access.redhat.com/errata/RHSA-2025:2130

Tue, 04 Mar 2025 03:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/o:redhat:rhel_aus:8.2::baseos
References		https://access.redhat.com/errata/RHSA-2025:2157

Tue, 04 Mar 2025 00:15:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6

Mon, 03 Mar 2025 20:30:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_e4s:9.0::appstream
References		https://access.redhat.com/errata/RHSA-2025:2022

Mon, 03 Mar 2025 17:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:8.8::appstream cpe:/o:redhat:rhel_eus:8.8::baseos
References		https://access.redhat.com/errata/RHSA-2025:1962

Mon, 03 Mar 2025 11:15:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_eus:9.2::appstream cpe:/a:redhat:rhel_tus:8.4::appstream cpe:/o:redhat:rhel_aus:8.4::baseos cpe:/o:redhat:rhel_e4s:8.4::baseos cpe:/o:redhat:rhel_tus:8.4::baseos
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:1963 https://access.redhat.com/errata/RHSA-2025:1964

Mon, 03 Mar 2025 10:45:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos cpe:/o:redhat:rhel_tus:8.6::baseos
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:1961

Sun, 02 Mar 2025 06:45:00 +0900

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/01/2

Sat, 01 Mar 2025 15:45:00 +0900

Type	Values Removed	Values Added
References		https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390 https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1

Fri, 28 Feb 2025 00:15:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:8

Thu, 27 Feb 2025 20:15:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/o:redhat:enterprise_linux:8::baseos
References		https://access.redhat.com/errata/RHSA-2025:1917

Thu, 27 Feb 2025 19:15:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream
References		https://access.redhat.com/errata/RHSA-2025:1915

Thu, 20 Feb 2025 03:45:00 +0900

Type	Values Removed	Values Added
Description	A flaw was found in the Emacs text editor. Improper handling of custom "man" URI schemes allows attackers to execute arbitrary shell commands by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.	A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

Thu, 13 Feb 2025 01:15:00 +0900

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 12 Feb 2025 23:30:00 +0900

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in the Emacs text editor. Improper handling of custom "man" URI schemes allows attackers to execute arbitrary shell commands by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
Title	emacs: Shell Injection Vulnerability in GNU Emacs via Custom "man" URI Scheme	Emacs: shell injection vulnerability in gnu emacs via custom "man" uri scheme
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-1244 https://bugzilla.redhat.com/show_bug.cgi?id=2345150

Wed, 12 Feb 2025 22:45:00 +0900

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		emacs: Shell Injection Vulnerability in GNU Emacs via Custom "man" URI Scheme
Weaknesses		CWE-78
References		https://nvd.nist.gov/vuln/detail/CVE-2025-1244 https://www.cve.org/CVERecord?id=CVE-2025-1244
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-02-12T14:27:45.707Z

Updated: 2025-11-24T19:53:23.676Z

Reserved: 2025-02-12T07:32:23.452Z

Link: CVE-2025-1244

Vulnrichment

Updated: 2025-11-03T20:57:08.032Z

NVD

Status : Awaiting Analysis

Published: 2025-02-12T15:15:18.430

Modified: 2025-11-03T21:18:52.620

Link: CVE-2025-1244

Redhat

Severity : Important

Publid Date: 2025-02-12T00:00:00Z

Links: CVE-2025-1244 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-78

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object