CVE-2025-49091: 
Linux Debian vulnerability analysis and mitigation

KDE Konsole versions before 25.04.2 contain a remote code execution vulnerability (CVE-2025-49091) discovered on April 16, 2025. The vulnerability affects systems where KTelnetService and Konsole are installed but at least one of the programs telnet, rlogin, or ssh is not installed. The issue allows remote code execution through URL scheme handlers (ssh://, telnet://, or rlogin://) when a user interacts with a malicious website (Wiz Report, KDE Advisory).

The vulnerability stems from Konsole's handling of URL schemes (ssh://, telnet://, rlogin://) through KTelnetService. When these protocols are requested but their corresponding binaries are not available, Konsole falls back to using /bin/bash with the provided URL as an argument, creating a command injection vulnerability. The issue has a CVSS v3.1 Base Score of 8.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L, indicating network accessibility with required user interaction (Proofnet Research, NVD Database).

If successfully exploited, the vulnerability allows attackers to execute arbitrary code on the target system through user interaction with a malicious website. The attack requires the user to accept a browser prompt for handling the specific URL schemes. The impact is particularly severe as it can lead to complete system compromise through remote code execution (Proofnet Research).

The vulnerability has been fixed in Konsole version 25.04.2 through commit 09d20dea, which clears the arguments when the requested command is not found. Users should upgrade to Konsole 25.04.2 or later. As temporary workarounds, users can either install all the relevant binaries (telnet, rlogin, ssh) or delete the file /usr/share/applications/ktelnetservice6.desktop to prevent URL scheme handling (KDE Advisory, Proofnet Research).