Local Executable Execution Vulnerability in Kitty by Kovid Goyal
CVE-2025-43929

4.1MEDIUM

Key Information:

Vendor: Kitty Project
Status: Kitty
Vendor: CVE Published:; 20 April 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The vulnerability in Kitty before version 0.41.0 originates from the open_actions.py script, which fails to prompt users for confirmation before executing local files that may be linked within documents from untrusted sources, such as those opened in KDE Ghostwriter. This design flaw can allow malicious documents to potentially execute unauthorized code on a user's system, significantly raising the risk of exploitation.

Affected Version(s)

kitty 0 < 0.41.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-43929
Created by 0xBenCantCode

References

https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c...

https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0....

https://ghostwriter.kde.org/documentation/#links

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Apr 20, 2025
👾
Exploit known to exist
Apr 20, 2025
Vulnerability published
Apr 20, 2025
Vulnerability Reserved
Apr 20, 2025