Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-53920

In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)

Published

2024-11-27T15:15:26.837

Last Modified

2025-04-30T16:21:59.130

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

Weaknesses

Type: Secondary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gnu	emacs	< 30.1	Yes

References

https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html Third Party Advisory ([email protected])
https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92 Product ([email protected])
https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4 Release Notes ([email protected])
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1 Product ([email protected])
https://news.ycombinator.com/item?id=42256409 Issue Tracking ([email protected])
https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com/ Mailing List ([email protected])