CVE-2024-53920

In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)

CVSS

No CVSS.

References

Link	Resource
https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html	Third Party Advisory
https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92	Product
https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4	Release Notes
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1	Product
https://news.ycombinator.com/item?id=42256409	Issue Tracking
https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com/	Mailing List

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:*

History

30 Apr 2025, 16:21

Type	Values Removed	Values Added
References	~~() https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html -~~	() https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html - Third Party Advisory
References	~~() https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1 -~~	() https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1 - Product
References	~~() https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com/ -~~	() https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com/ - Mailing List
References	~~() https://news.ycombinator.com/item?id=42256409 -~~	() https://news.ycombinator.com/item?id=42256409 - Issue Tracking
References	~~() https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4 -~~	() https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4 - Release Notes
References	~~() https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92 -~~	() https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92 - Product
CPE		cpe:2.3:a:gnu:emacs::::::::
First Time		Gnu emacs Gnu

01 Mar 2025, 06:15

Type	Values Removed	Values Added
Summary	In elisp-mode.el in GNU Emacs through 30.0.92, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)	In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)
References	{'url': 'https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg%40mail.gmail.com/', 'name': 'https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg%40mail.gmail.com/', 'tags': [], 'refsource': ''}	() https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1 - () https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com/ -

27 Nov 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-27 15:15

Updated : 2025-04-30 16:21

NVD link : CVE-2024-53920

Mitre link : CVE-2024-53920

JSON object : View

Products Affected

gnu

emacs

CWE

No CWE.

JSON object

Attach tags to CVE-2024-53920

Attach tags to `CVE-2024-53920`