We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.
Reserved 2025-05-31 | Published 2025-06-11 | Updated 2025-06-11 | Assigner mitreCWE-670 Always-Incorrect Control Flow Implementation
invent.kde.org/utilities/konsole/-/tags
konsole.kde.org/changelog.html
www.openwall.com/lists/oss-security/2025/06/10/5
invent.kde.org/...t/09d20dea109050b4c02fb73095f327b5642a2b75
kde.org/info/security/advisory-20250609-1.txt
proofnet.de/publikationen/konsole_rce.html
Support options