CVE-2025-43929

HIGH EPSS 6.4%
Published Apr 20, 20251y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 20, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
6.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-346

Affected Products 1

VendorProductVersionRange
kovidgoyalkitty* <0.41.0

References 5

  • ghostwriter.kde.org https://ghostwriter.kde.org/documentation/#links
    Product
  • github.com https://github.com/0xBenCantCode/CVE-2025-43929
    Exploit
  • github.com https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35
    Patch
  • github.com https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0.41.0
    Patch
  • hitman.services https://hitman.services/cve-2025-43929/
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35
    Patch
  • github.com https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0.41.0
    Patch