CVE-2025-43929

Published: Apr 20, 2025Modified: Apr 24, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

Affected (1)

Products: Kovidgoyal: Kitty

Kovidgoyal

1 product

Kitty

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kovidgoyal Kitty	Before 0.41.0

Related CWEs

CWE-346

Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

References (5)

https://ghostwriter.kde.org/documentation/#links

Source: cve@mitre.org

Product

https://github.com/0xBenCantCode/CVE-2025-43929

Source: cve@mitre.org

Exploit

https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35

Source: cve@mitre.org

Patch

https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0.41.0

Source: cve@mitre.org

Patch

https://hitman.services/cve-2025-43929/

Source: cve@mitre.org

ExploitThird Party Advisory

Timeline

No history available yet.