CVE-2025-43929

high

Description

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

References

https://hitman.services/cve-2025-43929/

https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0.41.0

https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35

https://github.com/0xBenCantCode/CVE-2025-43929

https://ghostwriter.kde.org/documentation/#links

Details

Source: Mitre, NVD

Published: 2025-04-20

Updated: 2025-04-24

Risk Information

CVSS v2

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H