CVE-2022-48339 – CVE-2022-48339 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-48339?

CVE-2022-48339 has a CVSS score of 7.8 (HIGH). CVE-2022-48339 is a command injection vulnerability in GNU Emacs' htmlfontify.el module. It allows attackers to execute arbitrary code by crafting malicious file or directory names containing shell metacharacters. This affects all GNU Emacs users who process untrusted files through the htmlfontify functionality.

📋 TL;DR

CVE-2022-48339 is a command injection vulnerability in GNU Emacs' htmlfontify.el module. It allows attackers to execute arbitrary code by crafting malicious file or directory names containing shell metacharacters. This affects all GNU Emacs users who process untrusted files through the htmlfontify functionality.

💻 Affected Systems

Products:

GNU Emacs

Versions: All versions through 28.2

Operating Systems: Linux, Unix-like systems, macOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the htmlfontify.el module when processing external input for file and directory names.

📦 What is this software?

Emacs by Gnu

View all CVEs affecting Emacs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with arbitrary code execution as the user running Emacs, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary command execution when processing malicious files from untrusted sources.

🟢

If Mitigated

No impact if proper input validation and escaping are implemented, or if untrusted files are not processed.

🌐 Internet-Facing: LOW - This requires local file access or user interaction with malicious files.

🏢 Internal Only: MEDIUM - Internal users could exploit this if they can influence file names processed by Emacs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to control file or directory names processed by the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c and later versions

Vendor Advisory: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c

Restart Required: Yes

Instructions:

1. Update GNU Emacs to version after 28.2. 2. Apply the patch from the Git commit. 3. Restart Emacs to load the fixed code.

🔧 Temporary Workarounds

Disable htmlfontify module

all

Prevent loading of the vulnerable htmlfontify.el module

Add (setq load-path (remove "/path/to/htmlfontify.el" load-path)) to .emacs

Input validation wrapper

all

Create wrapper functions that sanitize file and directory names before passing to hfy-istext-command

Implement custom functions that filter shell metacharacters from file paths

🧯 If You Can't Patch

Avoid processing untrusted files or directories with Emacs htmlfontify functionality
Implement strict file name validation at the application level before passing to Emacs

🔍 How to Verify

Check if Vulnerable:

Check Emacs version with 'emacs --version' and verify if it's 28.2 or earlier

Check Version:

emacs --version | head -1

Verify Fix Applied:

Verify the Git commit contains the fix: check for the presence of commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands executed from Emacs process
File operations with suspicious characters in names

Network Indicators:

Outbound connections from Emacs process to unexpected destinations

SIEM Query:

process.name:"emacs" AND cmdline:"sh" OR cmdline:"bash"

📊 Metadata

CVE ID: CVE-2022-48339

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-116

Published: February 20, 2023

Last Updated: March 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48339, you might also want to check these: