CVE-2025-66270 — Authentication Bypass by Spoofing in Connect Protocol

CWE-290 — Authentication Bypass by Spoofing6 documents6 sources

Severity

4.7MEDIUMNVD

EPSS

0.0%

top 90.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

KDE Kdeconnect KDE Connect Protocol

Timeline

PublishedDec 5

Description

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5kde/kde_connect_protocol8

▶Debiankde/kdeconnect< 25.04.2-1+deb13u1+1

🔴Vulnerability Details

OSV

CVE-2025-66270: The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets↗2025-12-05

▶

GHSA

GHSA-xcg9-fw4f-9chv: The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets↗2025-12-05

▶

CVEList

CVE-2025-66270: The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets↗2025-12-05

▶

📋Vendor Advisories

Ubuntu

KDE Connect vulnerability↗2025-12-03

▶

Debian

CVE-2025-66270: gnome-shell-extension-gsconnect - The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs acros...↗2025

▶