CVE-2025-66270

MEDIUM

KDE Connect <2025-11-28 - Info Disclosure

Title source: llm

Description

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

References (6)

[Various Sources] https://kde.org/info/security/advisory-20251128-1.txt

[Patch] https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3

View Patch ZIP pw:eip

[Patch] https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce

View Patch ZIP pw:eip

[Patch] https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9

[Patch] https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080

[Patch] https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e

Scores

CVSS v3 4.7

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (1)

KDE/KDE Connect protocol 8

Published Dec 05, 2025

Tracked Since Feb 18, 2026