CVE-2025-1244 | Emacs: shell injection vulnerability in gnu emacs via custom "man" uri scheme

A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

Published: 2025-02-12 Last update: 2026-04-15 Assigner: [email protected] Source: [email protected]
NVD Status:DeferredCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-1244 is rated Moderate Risk (63.3/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.29%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-1244

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-30 1.08% 1.29% +0.21%
2 2026-03-23 0.39% 1.08% +0.70%
3 2026-03-02 0.39%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-1244

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.8 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.8 5.9 [email protected]

Weakness enumeration for CVE-2025-1244

OS Trackers for CVE-2025-1244

vendor priority summary link
debian not yet assigned CVE-2025-1244 not yet assigned priority: Debian including 1 source packages (emacs), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2025-1244
gentoo high CVE-2025-1244: 1 GLSA(s) (202506-01), 1 atom(s) (app-editors/emacs); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2025-1244
redhat high https://access.redhat.com/security/cve/CVE-2025-1244
suse high CVE-2025-1244 severity important: SUSE including 50 source package names (emacs-24.3-23.el7_9.2, emacs-24.3-25.23.1, …), 167 product×package rows across 30 product lines (SUSE Enterprise Storage 7.1, SUSE Liberty Linux 7 LTSS, … (30 product lines)): Fixed 167. https://www.suse.com/security/cve/CVE-2025-1244/
ubuntu medium CVE-2025-1244 medium priority: Ubuntu including 5 source packages (emacs, emacs24, emacs25, xemacs21, xemacs21-packages), 41 status rows across 9 suites (bionic, focal, jammy, noble, oracular, plucky, questing, upstream, xenial): needs-triage 15, DNE 12, ignored 9, released 4, not-affected 1. https://ubuntu.com/security/CVE-2025-1244

Affected software / configurations for CVE-2025-1244

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2025-1244

URL Tags
https://access.redhat.com/errata/RHSA-2025:1915
https://access.redhat.com/errata/RHSA-2025:1917
https://access.redhat.com/errata/RHSA-2025:1961
https://access.redhat.com/errata/RHSA-2025:1962
https://access.redhat.com/errata/RHSA-2025:1963
https://access.redhat.com/errata/RHSA-2025:1964
https://access.redhat.com/errata/RHSA-2025:2022
https://access.redhat.com/errata/RHSA-2025:2130
https://access.redhat.com/errata/RHSA-2025:2157
https://access.redhat.com/errata/RHSA-2025:2195
https://access.redhat.com/errata/RHSA-2025:2754
https://access.redhat.com/security/cve/CVE-2025-1244
https://bugzilla.redhat.com/show_bug.cgi?id=2345150
http://www.openwall.com/lists/oss-security/2025/03/01/2
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1
https://lists.debian.org/debian-lts-announce/2025/02/msg00033.html
cvelogic Threat Intelligence