CVE-2025-66270 - Vulnerability Details

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Advisories

Source	ID	Title
Debian DSA	DSA-6063-1	kdeconnect security update
Debian DSA	DSA-6066-1	gnome-shell-extension-gsconnect security update

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3
https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce
https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9
https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080
https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e
https://kde.org/info/security/advisory-20251128-1.txt

History

Fri, 05 Dec 2025 05:45:00 +0000

Type	Values Removed	Values Added
Description		The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.
Weaknesses		CWE-290
References		https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3 https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9 https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080 https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e https://kde.org/info/security/advisory-20251128-1.txt
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-12-05T00:00:00.000Z

Updated: 2025-12-05T05:25:41.584Z

Reserved: 2025-11-26T00:00:00.000Z

Link: CVE-2025-66270

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-12-05T06:16:09.253

Modified: 2025-12-05T06:16:09.253

Link: CVE-2025-66270

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-290

Metrics

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object