CVE-2025-43929 — Origin Validation Error in Project Kitty

CWE-346 — Origin Validation Error4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 82.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kitty Project Kitty Kovidgoyal Kitty Debian Kitty

Timeline

PublishedApr 20

Description

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/kitty< kitty 0.41.1-1 (forky)

▶NVDkovidgoyal/kitty< 0.41.0

▶CVEListV5kitty_project/kitty< 0.41.0

▶Debiankitty_project/kitty< 0.41.1-1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-cch3-2vm3-v73j: open_actions↗2025-04-20

▶

OSV

CVE-2025-43929: open_actions↗2025-04-20

▶

📋Vendor Advisories

Debian

CVE-2025-43929: kitty - open_actions.py in kitty before 0.41.0 does not ask for user confirmation before...↗2025

▶