Wiz
Vulnerability DatabaseCVE-2024-39331

CVE-2024-39331
Emacs vulnerability analysis and mitigation

Overview

CVE-2024-39331 affects Emacs before version 29.4 and Org Mode before version 9.7.5. The vulnerability exists in the org-link-expand-abbrev function in lisp/ol.el, which expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. The vulnerability was discovered in June 2024 and emergency fixes were released for both Emacs and Org Mode (GNU Emacs, Org Mode).

Technical details

The vulnerability allows arbitrary code execution through the org-link-expand-abbrev function when processing Org mode files. The issue occurs when a malicious Org file contains a link abbreviation definition using the %(...) syntax that calls unsafe functions. For example, a malicious file could contain '#+LINK: shell %(shell-command-to-string) [[shell:touch ~/hacked.txt]]' which would execute shell commands without user confirmation (OSS Security). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

The vulnerability can lead to arbitrary code execution when an Org mode file is opened or when previewing Org mode attachments in email clients like Gnus, mu4e, or Notmuch. This could allow attackers to execute malicious commands on the target system without user interaction, potentially leading to system compromise (OSS Security).

Mitigation and workarounds

The vulnerability has been fixed in Emacs 29.4 and Org Mode 9.7.5. Users should upgrade to these versions or later. For those unable to upgrade immediately, it's possible to disable automatic parsing of Org files in incoming email messages by configuring emacs-mime settings. This can be done by disabling autodetection of Org files inline in text/plain parts and removing text/x-org from the list of automatically previewed MIME types (OSS Security).

Community reactions

The vulnerability has generated significant discussion in the Emacs community, particularly regarding the security implications of automatic code evaluation in Org mode. There are ongoing discussions about removing the %(my-function) placeholder from link abbreviation specifications and improving the security model for handling untrusted content (Hacker News).

Additional resources

SourceThis report was generated using AI

Related Emacs vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-39331CRITICAL9.8
  • EmacsEmacs
  • emacs-common
NoYesJun 23, 2024
CVE-2025-1244HIGH8.8
  • EmacsEmacs
  • emacs-common
NoYesFeb 12, 2025
CVE-2024-53920HIGH7.8
  • EmacsEmacs
  • emacs-nox
NoYesNov 27, 2024
CVE-2024-30205HIGH7.1
  • EmacsEmacs
  • app-editors/emacs
NoYesMar 25, 2024
CVE-2024-30204LOW2.8
  • EmacsEmacs
  • emacs-doc
NoYesMar 25, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo