Local Executable Execution Vulnerability in Kitty by Kovid Goyal
CVE-2025-43929

7.8HIGH

Key Information:

Vendor: Kitty Project
Status: Kitty
Vendor: CVE Published:; 20 April 2025

🔔 Create Kitty Project Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-43929?

The vulnerability in Kitty before version 0.41.0 originates from the open_actions.py script, which fails to prompt users for confirmation before executing local files that may be linked within documents from untrusted sources, such as those opened in KDE Ghostwriter. This design flaw can allow malicious documents to potentially execute unauthorized code on a user's system, significantly raising the risk of exploitation.

Affected Version(s)

kitty 0 < 0.41.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-43929
Created by 0xBenCantCode

References

https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c...

https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0....

https://ghostwriter.kde.org/documentation/#links

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 20, 2025
👾
Exploit known to exist
Apr 20, 2025
Vulnerability published
Apr 20, 2025
Vulnerability Reserved
Apr 20, 2025