CVE-2025-52968

Name of the Vulnerable Software and Affected Versions: xdg-utils versions 1.1.0 through 1.2.1 xdg-utils version 1.2.1

Description: The issue concerns xdg-open in xdg-utils, which can send requests containing SameSite=Strict cookies. This can facilitate Cross-Site Request Forgery (CSRF) attacks. The problem is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user or resulted from navigation from content in an untrusted origin.

Recommendations: For xdg-utils versions 1.1.0 through 1.2.1, consider modifying xdg-open to associate x-scheme-handler/https with the execution of a browser using command-line options that arrange for an empty cookie store, although this would add substantial complexity and may not be desirable for all users. For xdg-utils version 1.2.1, as a temporary workaround, consider restricting the use of xdg-open to minimize the risk of CSRF attacks until a more suitable solution is available.