CVE-2025-66270
December 05, 2025
The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.
Affected Packages
https://github.com/GSConnect/gnome-shell-extension-gsconnect.git (GITHUB):
Affected version(s) >=v1 <v68Fix Suggestion:
Update to version v68https://invent.kde.org/network/kdeconnect-android.git (SCM_GIT):
Affected version(s) >=v0.1 <v1.34.4Fix Suggestion:
Update to version v1.34.4https://invent.kde.org/network/kdeconnect-kde.git (SCM_GIT):
Affected version(s) >=v0.1 <v25.12.0Fix Suggestion:
Update to version v25.12.0Related ResourcesĀ (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.7
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Authentication Bypass by Spoofing
EPSS
Base Score:
0.03
