Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-53920

HIGH
Published 2024-11-27T00:00:00.000Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-53920. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.8
/10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.001
probability
of exploitation in the wild

There is a 0.1% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.287
Higher than 28.7% of all CVEs

Attack Vector Metrics

Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Description

In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)

Available Exploits

No exploits available for this CVE.

Related News

DSA-5871-1 emacs - security update

Two security vulnerabilities were discovered in Emacs: CVE-2024-53920 Elisp byte-compilation ('elisp-flymake-byte-compile') in the Flymake mode is now disabled for untrusted files. CVE-2025-1244 An incomplete escaping of shell meta characters in the ma…

Debian.org 2025-02-27 00:00
Read More
Emacs 30.1 released

The Emacs extensible text editor (among other things) has made a security release to address two vulnerabilities. Emacs 30.1 has fixes for CVE-2025-1244, which is a shell-command-injection flaw in the man.el man page browser and for CVE-2024-53920, which is a…

Lwn.net 2025-02-24 15:18
Read More

Affected Products

gnu

emacs

Affected Versions:

30.0.92

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed CRITICAL

GHSA-8737-h7fg-9xgj

Advisory Details

In elisp-mode.el in GNU Emacs through 30.0.92, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-53920
WEB https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
WEB https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92
WEB https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4
WEB https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1
WEB https://news.ycombinator.com/item?id=42256409
WEB https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg%40mail.gmail.com
WEB https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com

Advisory provided by GitHub Security Advisory Database. Published: November 27, 2024, Modified: March 1, 2025

References

https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4
https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92
https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com/
https://news.ycombinator.com/item?id=42256409
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1
Published: 2024-11-27T00:00:00.000Z
Last Modified: 2025-03-13T19:25:55.594Z
Copied to clipboard!