CVE-2025-43929

19 Apr, 2025

How I Kind of Got Remote Code Execution via a Terminal Emulator You May Use and a Markdown Editor You May Use

Remote code execution is often considered critical when discovered, but when there are a few extra steps involved, it can be brought down to a medium. This is how I discovered my first CVE that allowed for remote code execution on a user’s machine via a vulnerable terminal emulator known as KiTTY and a poorly designed markdown editor.

The Hunt for the First CVE

One day, I decided that I wanted to get my first CVE because it makes you look cool and you get bragging rights. I started my hunt on KDE, specifically the markdown editor Ghostwriter. I chose Ghostwriter as my target since it seemed to not be very mature and had a lot of issues, such as crashing when performing certain actions.

I started my hunt by looking at high-level functionality, such as HTML injection, JavaScript execution, etc., with the goal of being able to “pop the calc,” as they say, on the victim’s machine. None of that worked to any avail, and even if it did, that would be an issue with QT.

I didn’t realize this at the time, and in retrospect, I spent wayyy too much time trying to break the HTML sanitizer.

A Strange Discovery?

I then tried to use links to maybe run JavaScript by using a javascript: URL, which in some cases would execute malicious code when clicked. Of course, this didn’t work.

But then I had the grand idea of:
“What if I pointed the link to a local shell script?”

So I did just that, and to my surprise, when I clicked the link, the script ran without any warning prompts on my terminal emulator.

It was a “WTF” moment because… why did that just happen?

Seeking Answers

I promptly wrote an email to KDE’s security contact since I was lost at the moment. I eventually got an email back saying the issue was unable to be reproduced. Huh, weird right?

I took a minute, slowed down, and realized that this wasn’t an issue with KDE at all, but rather KiTTY.

I ran kde-open script.sh in my terminal and noticed that KiTTY would automatically execute it, but when I uninstalled KiTTY, the same command would lead to the shell script opening in a text editor.

Fixing the Flaw

After this revelation, I let the maintainer of KiTTY know, and the issue got fixed promptly.

After the issue was fixed, I decided to go ahead and submit a request to MITRE to get a CVE assigned for the issue.

Weeks went by… no response.

Celebration Time 🎉

Until today! (4/19/25) I got an email back from MITRE with the CVE ID assigned to the vulnerability. To be completely honest, I thought they ghosted me (no pun intended).

The vulnerability was assigned a medium severity rating with a score of 4.1, and honestly, I can’t complain because of the attack complexity.

Attack Flow

Folder containing markdown file and shell script → send to victim → victim opens in poorly made markdown editor → victim clicks link (and hopefully uses KiTTY) → code execution

Even then, this is my first CVE, and I’m proud of it.