KDE Project Security Advisory ============================= Title: KDE Connect: a packet can be crafted to temporarily change the information of a device Risk rating: Medium CVE: CVE-2025-32900 Versions: KDE Connect Android < 1.33.0, KDE Connect desktop < 25.04, KDE Connect iOS < 0.5 Date: 18 April 2025 Overview ======== KDE Connect discovers other devices by sending broadcast UDP packets to the network. These packets contain a device ID and display information like the device name and the device type (used to chose a device icon). Since UDP is unauthenticated, an attacker could send a packet claiming to be another device and send different device information. This would cause KDE Connect to temporarily show the wrong information for that device, until the real device sends a packet with the correct data again. CWE-348: Use of Less Trusted Source Impact ====== An attacker could confuse the user by renaming a legitimate device, for example to cause them to pair with the wrong device. Workaround ========== We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences. Solution ======== Update KDE Connect on all your devices to a non-vulnerable version, which exchange the device information over TLS. Note that, for backwards compatibility, KDE Connect keeps using the old, unauthenticated information exchange when connecting to a device that runs an old version of KDE Connect. You can verify that your devices use the protocol version 8, which contains the security fixes. - In KDE Connect Android: select a device, open the overflow menu and select "Encryption Info". - In KDE Connect desktop: use the command line tool "kdeconnect-cli --encryption-info". Other Affected Software ==================== This vulnerability also affects other implementations of the KDE Connect protocol that are not developed by KDE. The following implementations are known to have applied a fix: * Valent: Fixes added in version 1.0.0.alpha.47 * GSConnect: Fixes added in version 59 Credits ======= Thanks to Cezar Lungu for reporting this issue.