CVE-2025-66270 - Vulnerability Details

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apple Subscribe	Ios Subscribe
Google Subscribe	Android Subscribe
Kde Subscribe	Gsconnect Subscribe Kde Subscribe Kdeconnect Subscribe Valent Subscribe

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Apple Subscribe	Ios Subscribe
Google Subscribe	Android Subscribe
Kde Subscribe	Gsconnect Subscribe Kde Subscribe Kdeconnect Subscribe Valent Subscribe

Advisories

Source	ID	Title
Debian DSA	DSA-6063-1	kdeconnect security update
Debian DSA	DSA-6066-1	gnome-shell-extension-gsconnect security update

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3
https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce
https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9
https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080
https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e
https://kde.org/info/security/advisory-20251128-1.txt

History

Fri, 05 Dec 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 05 Dec 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios Google Google android Kde Kde gsconnect Kde kde Kde kdeconnect Kde valent
Vendors & Products		Apple Apple ios Google Google android Kde Kde gsconnect Kde kde Kde kdeconnect Kde valent

Fri, 05 Dec 2025 05:45:00 +0000

Type	Values Removed	Values Added
Description		The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.
Weaknesses		CWE-290
References		https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3 https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9 https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080 https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e https://kde.org/info/security/advisory-20251128-1.txt
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-12-05T00:00:00.000Z

Updated: 2025-12-05T17:26:40.066Z

Reserved: 2025-11-26T00:00:00.000Z

Link: CVE-2025-66270

Vulnrichment

Updated: 2025-12-05T17:26:33.819Z

NVD

Status : Awaiting Analysis

Published: 2025-12-05T06:16:09.253

Modified: 2025-12-08T18:27:15.857

Link: CVE-2025-66270

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-12-05T10:51:50Z

Weaknesses

CWE-290

Metrics

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object