CVE-2025-66270

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

Weakness

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Affected Software

Name	Vendor	Start Version	End Version
Gnome-shell-extension-gsconnect	Ubuntu	plucky	*
Gnome-shell-extension-gsconnect	Ubuntu	questing	*
Gnome-shell-extension-gsconnect	Ubuntu	upstream	*
Kdeconnect	Ubuntu	questing	*
Kdeconnect	Ubuntu	upstream	*

https://cwe.mitre.org/data/definitions/21.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/461.html
https://cwe.mitre.org/data/definitions/473.html
https://cwe.mitre.org/data/definitions/476.html
https://cwe.mitre.org/data/definitions/59.html
https://cwe.mitre.org/data/definitions/60.html
https://cwe.mitre.org/data/definitions/667.html
https://cwe.mitre.org/data/definitions/94.html

References

https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3
https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce
https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9
https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080
https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e
https://kde.org/info/security/advisory-20251128-1.txt

NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-66270
CWE	https://cwe.mitre.org/data/definitions/290.html

Authentication Bypass by Spoofing

Weakness

Affected Software

Related Attack Patterns

References