KDE Project Security Advisory: KDE Connect: Impersonation of paired devices, bypassing authentication

Albert Astals Cid aacid at kde.org
Sat Nov 29 16:46:15 GMT 2025 

KDE Project Security Advisory
=============================

Title:           KDE Connect: Impersonation of paired devices, bypassing authentication
Risk rating:     Critical
CVE:             CVE-2025-66270
Versions:
    - KDE Connect desktop >= 25.04 and < 25.12
    - KDE Connect iOS >= v0.5.2 and < 0.5.4
    - KDE Connect Android >= v1.33.0 and < 1.34.4
    - GSConnect >= 59 and < 68
    - Valent  >= v1.0.0.alpha.47 and < v1.0.0.alpha.49
Date:            28/11/2025

Overview
========

Versions of KDE Connect released after March 2025 implement version 8 of the KDE Connect protocol.
In this version, the discovery of other devices with KDE Connect on your network involves an
additional packet exchange between the two devices. While the first packet is used to determine if a
device is paired or not, this additional packet is used to identify the device that is connecting.

The vulnerable implementations of KDE Connect were not checking that the device ID in the first
packet and the device ID in the second packet were the same. This could be abused by first sending a
device ID of an unpaired device which doesn't require authentication, followed by sending the device
ID of a paired device in order to impersonate it.

Impact
======

An attacker, by knowing the ID of a previously paired device, could impersonate it and connect with
the privileges of that device, skipping the authentication.

Workaround
==========

Until you can upgrade to a non-vulnerable version, we advise you to stop KDE Connect when on
untrusted networks like those on airports or conferences and/or unpair all devices from KDE Connect.

Solution
========

Update KDE Connect on all your devices to a non-vulnerable version.

If a non-vulnerable version isn't yet available in your distribution channels, you can apply one of
the following patches, depending on the KDE Connect implementation you use:

- KDE Connect desktop: https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e
- KDE Connect Anddroid: https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9
- KDE Connect iOS: https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080
- GSConnect: https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3
- Valent: https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce

Credits
=======

Thanks to Florian Bauckholt for reporting this issue.

This is a coordinated advisory between KDE Connect, GSConnect and Valent.

https://kde.org/info/security/advisory-20251128-1.txt

More information about the kde-announce mailing list