Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1913

NIXPKGS-2026-1913
published 7 hours ago
Kitty: arbitrary file write and command injection < 0.47.3
Permalink CVE-2026-54056
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 7 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored
    9 packages
    • kittysay
    • kitty-img
    • kitty-themes
    • kittycad-kcl-lsp
    • mailman-hyperkitty
    • haskellPackages.discokitty
    • mailmanPackages.hyperkitty
    • mailmanPackages.mailman-hyperkitty
    • vimPlugins.nvim-treesitter-parsers.kitty
    8 hours ago
  • @LeSuisse accepted 8 hours ago
  • @LeSuisse published on GitHub 7 hours ago
Kitty has an arbitrary file overwrite via symlink following in `kitten dnd` remote drop staging

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.

Affected products

kitty
  • ==>= 0.47.0, < 0.47.2

Matching in nixpkgs

pkgs.kitty

Fast, feature-rich, GPU based terminal emulator

Ignored packages (9)

Package maintainers

Permalink CVE-2026-54055
5.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 7 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored
    9 packages
    • kittysay
    • kitty-themes
    • kitty-img
    • kittycad-kcl-lsp
    • mailman-hyperkitty
    • haskellPackages.discokitty
    • mailmanPackages.hyperkitty
    • mailmanPackages.mailman-hyperkitty
    • vimPlugins.nvim-treesitter-parsers.kitty
    8 hours ago
  • @LeSuisse accepted 8 hours ago
  • @LeSuisse published on GitHub 7 hours ago
Kitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

Affected products

kitty
  • ==< 0.47.2

Matching in nixpkgs

pkgs.kitty

Fast, feature-rich, GPU based terminal emulator

Ignored packages (9)

Package maintainers

Permalink CVE-2026-54057
7.3 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 7 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored
    9 packages
    • kittysay
    • kitty-img
    • kitty-themes
    • kittycad-kcl-lsp
    • mailman-hyperkitty
    • haskellPackages.discokitty
    • mailmanPackages.hyperkitty
    • vimPlugins.nvim-treesitter-parsers.kitty
    • mailmanPackages.mailman-hyperkitty
    8 hours ago
  • @LeSuisse accepted 8 hours ago
  • @LeSuisse published on GitHub 7 hours ago
Kitty vulnerable to command injection via unsanitized OSC 21 query reply

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

Affected products

kitty
  • ==< 0.47.3

Matching in nixpkgs

pkgs.kitty

Fast, feature-rich, GPU based terminal emulator

Ignored packages (9)

Package maintainers