CVE-2025-43929
HIGH EPSS 6.4%
Published Apr 20, 20251y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
Published Apr 20, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
6.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-346
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| kovidgoyal | kitty | * | <0.41.0 |
References 5
- ghostwriter.kde.org https://ghostwriter.kde.org/documentation/#links
- github.com https://github.com/0xBenCantCode/CVE-2025-43929
- github.com https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35
- github.com https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0.41.0
- hitman.services https://hitman.services/cve-2025-43929/
Remediation
- github.com https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35
- github.com https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0.41.0