Local Executable Execution Vulnerability in Kitty by Kovid Goyal
CVE-2025-43929

7.8HIGH

Key Information:

Vendor

Kitty Project

Status
Kitty
Vendor
CVE Published:
20 April 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-43929?

The vulnerability in Kitty before version 0.41.0 originates from the open_actions.py script, which fails to prompt users for confirmation before executing local files that may be linked within documents from untrusted sources, such as those opened in KDE Ghostwriter. This design flaw can allow malicious documents to potentially execute unauthorized code on a user's system, significantly raising the risk of exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

kitty 0 < 0.41.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-43929
Created by 0xBenCantCode

References

https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c...
https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0....
https://ghostwriter.kde.org/documentation/#links

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.