Duty Analyst: Moises Salas Lopez
← Back to CVE list

CVE-2025-66270

Published: 2025-12-05 06:16:09 | Last modified: 2025-12-08 18:27:16

MEDIUM CVSS 4.7
No EPSS data

Description

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

CVSS details

Severity
medium
Score
4.7
Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS

This CVE is not currently listed in the EPSS dataset.

Show JSON 
{
    "cve": {
        "id": "CVE-2025-66270",
        "cveTags": [],
        "metrics": {
            "cvssMetricV31": [
                {
                    "type": "Secondary",
                    "source": "cve@mitre.org",
                    "cvssData": {
                        "scope": "CHANGED",
                        "version": "3.1",
                        "baseScore": 4.7,
                        "attackVector": "ADJACENT_NETWORK",
                        "baseSeverity": "MEDIUM",
                        "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
                        "integrityImpact": "LOW",
                        "userInteraction": "NONE",
                        "attackComplexity": "HIGH",
                        "availabilityImpact": "NONE",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "LOW"
                    },
                    "impactScore": 2.7,
                    "exploitabilityScore": 1.6
                }
            ]
        },
        "published": "2025-12-05T06:16:09.253",
        "references": [
            {
                "url": "https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3",
                "source": "cve@mitre.org"
            },
            {
                "url": "https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce",
                "source": "cve@mitre.org"
            },
            {
                "url": "https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9",
                "source": "cve@mitre.org"
            },
            {
                "url": "https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080",
                "source": "cve@mitre.org"
            },
            {
                "url": "https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e",
                "source": "cve@mitre.org"
            },
            {
                "url": "https://kde.org/info/security/advisory-20251128-1.txt",
                "source": "cve@mitre.org"
            }
        ],
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
            {
                "type": "Secondary",
                "source": "cve@mitre.org",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-290"
                    }
                ]
            }
        ],
        "descriptions": [
            {
                "lang": "en",
                "value": "The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49."
            }
        ],
        "lastModified": "2025-12-08T18:27:15.857",
        "sourceIdentifier": "cve@mitre.org"
    }
}