KDE Project Security Advisory ============================= Title: KDE Connect: Impersonation of paired devices, bypassing authentication Risk rating: Critical CVE: CVE-2025-66270 Versions: - KDE Connect desktop >= 25.04 and < 25.12 - KDE Connect iOS >= v0.5.2 and < 0.5.4 - KDE Connect Android >= v1.33.0 and < 1.34.4 - GSConnect >= 59 and < 68 - Valent >= v1.0.0.alpha.47 and < v1.0.0.alpha.49 Date: 28/11/2025 Overview ======== Versions of KDE Connect released after March 2025 implement version 8 of the KDE Connect protocol. In this version, the discovery of other devices with KDE Connect on your network involves an additional packet exchange between the two devices. While the first packet is used to determine if a device is paired or not, this additional packet is used to identify the device that is connecting. The vulnerable implementations of KDE Connect were not checking that the device ID in the first packet and the device ID in the second packet were the same. This could be abused by first sending a device ID of an unpaired device which doesn't require authentication, followed by sending the device ID of a paired device in order to impersonate it. Impact ====== An attacker, by knowing the ID of a previously paired device, could impersonate it and connect with the privileges of that device, skipping the authentication. Workaround ========== Until you can upgrade to a non-vulnerable version, we advise you to stop KDE Connect when on untrusted networks like those on airports or conferences and/or unpair all devices from KDE Connect. Solution ======== Update KDE Connect on all your devices to a non-vulnerable version. If a non-vulnerable version isn't yet available in your distribution channels, you can apply one of the following patches, depending on the KDE Connect implementation you use: - KDE Connect desktop: https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e - KDE Connect Anddroid: https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9 - KDE Connect iOS: https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080 - GSConnect: https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3 - Valent: https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce Credits ======= Thanks to Florian Bauckholt for reporting this issue. This is a coordinated advisory between KDE Connect, GSConnect and Valent.