CVE-2025-43929 PUBLISHED

Assigner: mitre
Reserved: 20.04.2025 Published: 20.04.2025 Updated: 21.04.2025

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 4.1

Attack Vector	Local	Scope	Changed
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	kitty project
Product	kitty
Versions	Default: unaffected affected from 0 to 0.41.0 (excl.)

References

https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35
https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0.41.0
https://ghostwriter.kde.org/documentation/#links
https://hitman.services/cve-2025-43929/
https://github.com/0xBenCantCode/CVE-2025-43929

Problem Types

CWE-346 Origin Validation Error CWE