Wiz
Vulnerability DatabaseCVE-2024-53920

CVE-2024-53920
Emacs vulnerability analysis and mitigation

Overview

CVE-2024-53920 affects GNU Emacs versions before 30.1, where users invoking elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. The vulnerability was discovered in August 2018 and publicly disclosed in November 2024 (Emacs Blog).

Technical details

The vulnerability stems from unsafe Lisp macro-expansion in Emacs, which runs unrestricted Emacs Lisp code during macro-expansion time. The issue occurs in elisp-mode.el when code completion or on-the-fly diagnosis features attempt to examine code by expanding macros. Common configurations that enable auto-completion features (like Corfu and Company) or code diagnosis tools (Flymake or Flycheck) can trigger this vulnerability automatically when opening affected files (Emacs Blog).

Impact

An attacker can achieve arbitrary code execution by crafting a malicious Emacs Lisp file that includes harmful macro invocations. When a user opens such a file in Emacs with certain common features enabled, the code can execute automatically without user intervention (Emacs Blog).

Mitigation and workarounds

Users are advised to: 1) Avoid visiting untrusted .el files in Emacs, 2) Disable automatic error checking with Flymake or Flycheck in untrusted .el files, 3) Disable auto-completion features in untrusted .el files, and 4) Set enable-local-eval to nil. The vulnerability has been addressed in Emacs 30, which includes new safety mechanisms to disable Flymake and code completion induced macro-expansion in untrusted files (Emacs Blog, Debian Security).

Community reactions

The vulnerability has generated significant discussion in the Emacs community, with many users expressing concern about the long-standing nature of the issue. The discussion on Hacker News highlighted the challenges of securing Emacs given its architecture and age, with some users suggesting running Emacs in restricted environments like Firejail as a mitigation strategy (HN Discussion).

Additional resources

SourceThis report was generated using AI

Related Emacs vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-39331CRITICAL9.8
  • EmacsEmacs
  • emacs-common
NoYesJun 23, 2024
CVE-2025-1244HIGH8.8
  • EmacsEmacs
  • emacs-common
NoYesFeb 12, 2025
CVE-2024-53920HIGH7.8
  • EmacsEmacs
  • emacs-nox
NoYesNov 27, 2024
CVE-2024-30205HIGH7.1
  • EmacsEmacs
  • app-editors/emacs
NoYesMar 25, 2024
CVE-2024-30204LOW2.8
  • EmacsEmacs
  • emacs-doc
NoYesMar 25, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo