CVE-2025-43929: 
NixOS vulnerability analysis and mitigation

CVE-2025-43929 affects the open_actions.py component in kitty terminal emulator versions before 0.41.0. The vulnerability allows local executable files to be run without user confirmation when linked from an untrusted document, particularly when opened in applications like KDE ghostwriter (NVD, Debian Tracker).

The vulnerability is classified as an Origin Validation Error (CWE-346). The CVSS v3.1 scores vary between sources, with NVD assigning a HIGH severity score of 7.8 (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and MITRE assigning a MEDIUM severity score of 4.1 (Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

When exploited, the vulnerability allows an attacker to execute local files without user confirmation, potentially leading to unauthorized code execution on the target system. The impact is particularly significant when combined with applications that handle untrusted documents containing links to local executable files (Hitman Services).

The vulnerability has been patched in kitty version 0.41.0 by implementing user confirmation prompts before executing local files. The fix involves modifying the open_actions.py file to add confirmation dialogs for executable files. Users are recommended to upgrade to version 0.41.0 or later (Kitty Patch).

The vulnerability was discovered and reported by a security researcher who documented the discovery process on their blog. The issue was initially reported to KDE's security team before being correctly identified as a kitty vulnerability. The maintainer of kitty promptly addressed the issue after it was reported (Hitman Services).