CVE-2025-66270
4.7
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| KDE | KDE Connect protocol | 8 | affected |
Weaknesses
- CWE-290: CWE-290 Authentication Bypass by Spoofing
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e
- https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9
- https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080
- https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3
- https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce
- https://kde.org/info/security/advisory-20251128-1.txt
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.