CVE-2025-43929

Publication date 20 April 2025

Last updated 11 July 2025

Ubuntu priority

Cvss 3 Severity Score

Description

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

Status

Show unmaintained releases

Package	Ubuntu Release	Status
kitty	26.04 LTS resolute	Not affected
	25.10 questing	Needs evaluation
	25.04 plucky	Ignored end of life, was ignored [changes too intrusive]
	24.10 oracular	Ignored end of life, was ignored [changes too intrusive]
	24.04 LTS noble	Ignored changes too intrusive
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
kitty	Upstream: ce5cfdd

Severity score breakdown

CVSS version: CVSS v3.0

Base score 4.1 · Medium

Base metrics

Parameter	Value
Attack vector	Local
Attack complexity	High
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality impact	Low
Integrity impact	Low
Availability impact	None

Scores

Parameter	Value
Base score	4.1 · Medium
Exploitability score	-
Impact score	-

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N