KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.
Dennis Dast discovered that the Konsole terminal emulator insecurely handled the telnet URI scheme, which could result in the execution of arbitrary code in some configurations. For the stable distribution (bookworm), this problem has been fixed in version 4:22.12.3-1+deb12u1.
