Executive Summary

This vulnerability is an unauthenticated in-process remote code execution (RCE) issue in the kitty terminal emulator versions prior to 0.47.0. An attacker can write specially crafted bytes to a kitty terminal, such as through a remote SSH session, a malicious file viewed with the cat command, log lines, emails, or other terminal outputs.

When the kitty terminal parses a specific Device Control String (DCS) sequence (@kitty-edit), it triggers an internal helper protocol that processes attacker-supplied Python code without any authentication or user approval. This code is executed inside the running kitty process with the user's full privileges.

The vulnerability exploits the --color=geninclude option, which allows inline kitty configuration parsing and execution of Python files in-process. The attack requires no user interaction beyond viewing the malicious content in the terminal, and it works even without remote-control permissions, shell integration, or editor involvement.

The issue is fixed in kitty version 0.47.0.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated remote code execution within the kitty terminal process with the user's full privileges, potentially leading to unauthorized access and control over user data and system resources.

Such unauthorized code execution could result in data breaches or manipulation, which may violate data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

Because the exploit requires only viewing attacker-controlled content and does not require user approval or interaction, it increases the risk of unnoticed compromise, thereby impacting compliance with standards that mandate strict access controls and user consent.

Updating to version 0.47.0, which fixes the issue, is necessary to mitigate these compliance risks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary Python code within your kitty terminal process with your full user privileges. This means the attacker can perform any action that you can, including reading, modifying, or deleting files, installing malware, or taking control of your system.

Since the attack requires only that you view attacker-controlled content in the terminal (such as running cat on a malicious file or receiving a malicious log or email), it can be triggered without your explicit consent or interaction beyond viewing the content.

The impact includes potential data loss, system compromise, unauthorized access to sensitive information, and further propagation of attacks within your environment.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the kitty terminal emulator version in use is vulnerable (versions prior to 0.47.0, specifically <= 0.46.2).

To detect potential exploitation attempts, monitor terminal output for suspicious Device Control String (DCS) sequences such as '@kitty-edit' which trigger the vulnerable edit-in-kitty helper protocol.

A practical command to test if a kitty terminal is vulnerable is to run 'cat' on a crafted malicious file containing the exploit payload. If the kitty terminal executes the payload (e.g., creates a marker file), it is vulnerable.

Additionally, you can check the kitty version installed by running the command: kitty --version

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the kitty terminal emulator to version 0.47.0 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, avoid opening untrusted files or content in kitty terminals, especially those that might contain malicious DCS sequences or Python code.

Consider restricting the use of the --color=geninclude option or disabling inline kitty config parsing if possible, as this option enables the execution of attacker-supplied Python code.

Useful 0 Not Useful 0