r1cksec1d ago

Opening a file in GNU Emacs can trigger arbitrary code execution through version control (git), most requiring zero user interaction beyond the file open itself.

https://github.com/califio/publications/blob/main/MADBugs/vim-vs-emacs-vs-claude/Emacs.md

#infosec #cybersecurity #redteam #pentest #ai #emacs #claude

publications/MADBugs/vim-vs-emacs-vs-claude/Emacs.md at main · califio/publications

Publications from Calif. Contribute to califio/publications development by creating an account on GitHub.

GitHub
Show threadOmar Antolín
@r1cksec Just to be clear, running any git command in that repo will run the arbitrary code, even if you don't have Emacs installed on your machine.
Mar 31 at 6:52amWeb
Show threadmekeor1d ago
@oantolin @r1cksec "i found an RCE vulnerability in emacs" turns out to be "claude remembers an old git-vulnerability and puts it in an emacs-framing"
Show threadKlara ❤️1d ago

@mekeor @oantolin @r1cksec

Yeah, the page even links to the Git vulnerability where it says IDEs are vulnerable, so... What's new?

Show threadmaya1d ago
@mekeor @oantolin @r1cksec but the whole thing is framed as "emacs developers refused to fix this issue" lmao
Show threadλzyd1d ago

@oantolin @r1cksec Yeah, I chalk this up to the problem of whether or not you can trust a git repo. Any time you run a git command in a git repo, you run the risk of executing code: https://git-scm.com/docs/git#_security

However, it is not safe to run Git commands in a .git directory (or the working tree that surrounds it) when that .git directory itself comes from an untrusted source. The commands in its config and hooks are executed in the usual way.

Maybe it would be nice if Emacs had a way to disable executing git commands by default as an option for threat models concerned about working with untrusted git repos, but I'm unsure if it's on Emacs to address this.

Git - git Documentation