CVE-2025-32898 — Insufficient Entropy in Connect Verification-code Protocol

CWE-331 — Insufficient Entropy5 documents5 sources

Severity

4.7MEDIUMNVD

EPSS

0.0%

top 98.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

KDE Connect Verification-code Protocol KDE Kdeconnect

Timeline

PublishedDec 5

Description

The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5kde/kde_connect_verification-code_protocol< 2025-04-18

▶Debiankde/kdeconnect< 25.04.0-1+1

🔴Vulnerability Details

CVEList

CVE-2025-32898: The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks↗2025-12-05

▶

OSV

CVE-2025-32898: The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks↗2025-12-05

▶

GHSA

GHSA-r3v4-hrwm-cxm5: The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks↗2025-12-05

▶

📋Vendor Advisories

Debian

CVE-2025-32898: gnome-shell-extension-gsconnect - The KDE Connect verification-code protocol before 2025-04-18 uses only 8 charact...↗2025

▶