CVE-2025-1244

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-1244
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2025:1915
https://access.redhat.com/errata/RHSA-2025:1917
https://access.redhat.com/errata/RHSA-2025:1961
https://access.redhat.com/errata/RHSA-2025:1962
https://access.redhat.com/errata/RHSA-2025:1963
https://access.redhat.com/errata/RHSA-2025:1964
https://access.redhat.com/errata/RHSA-2025:2022
https://access.redhat.com/errata/RHSA-2025:2130
https://access.redhat.com/errata/RHSA-2025:2157
https://access.redhat.com/errata/RHSA-2025:2195
https://access.redhat.com/errata/RHSA-2025:2754
https://access.redhat.com/security/cve/CVE-2025-1244
https://bugzilla.redhat.com/show_bug.cgi?id=2345150
http://www.openwall.com/lists/oss-security/2025/03/01/2
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1
https://lists.debian.org/debian-lts-announce/2025/02/msg00033.html
Configurations

No configuration.

History

03 Nov 2025, 21:18

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/02/msg00033.html -

13 Mar 2025, 14:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:2754 -

04 Mar 2025, 08:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:2195 -

03 Mar 2025, 20:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:2130 -

03 Mar 2025, 18:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:2157 -

03 Mar 2025, 12:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:2022 -

03 Mar 2025, 08:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:1962 -

03 Mar 2025, 02:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:1961 -
  • () https://access.redhat.com/errata/RHSA-2025:1963 -
  • () https://access.redhat.com/errata/RHSA-2025:1964 -

01 Mar 2025, 21:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/03/01/2 -

01 Mar 2025, 06:15

Type Values Removed Values Added
References
  • () https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390 -
  • () https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1 -

27 Feb 2025, 11:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:1917 -

27 Feb 2025, 10:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:1915 -

19 Feb 2025, 19:15

Type Values Removed Values Added
Summary
  • (es) Se encontró una falla en el editor de texto de Emacs. La gestión inadecuada de esquemas de URL "man" personalizados permite a los atacantes ejecutar comandos de shell arbitrarios engañando a los usuarios para que visiten un sitio web especialmente manipulado o una URL HTTP con una redirección.
Summary (en) A flaw was found in the Emacs text editor. Improper handling of custom "man" URI schemes allows attackers to execute arbitrary shell commands by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. (en) A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

12 Feb 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-12 15:15

Updated : 2025-11-03 21:18

NVD link : CVE-2025-1244

Mitre link : CVE-2025-1244

CVE.ORG link : CVE-2025-1244

JSON object : View

Products Affected

No product.

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')