CVE-2025-43929

NameCVE-2025-43929
Descriptionopen_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1103691

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kitty (PTS)bullseye0.19.3-1vulnerable
bookworm0.26.5-5vulnerable
trixie, sid0.41.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kittysource(unstable)0.41.1-11103691

Notes

https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35 (v0.41.0)
Search for package or bug name: Reporting problems