KDE Project Security Advisory
=============================
Title: KDE Connect: Impersonation of paired devices, bypassing
authentication
Risk rating: Critical
CVE: CVE-2025-66270
Versions:
- KDE Connect desktop >= 25.04 and < 25.12
- KDE Connect iOS >= v0.5.2 and < 0.5.4
- KDE Connect Android >= v1.33.0 and < 1.34.4
- GSConnect >= 59 and < 68
- Valent >= v1.0.0.alpha.47 and < v1.0.0.alpha.49
Date: 28/11/2025
Overview
========
Versions of KDE Connect released after March 2025 implement version 8 of the
KDE Connect protocol.
In this version, the discovery of other devices with KDE Connect on your
network involves an
additional packet exchange between the two devices. While the first packet is
used to determine if a
device is paired or not, this additional packet is used to identify the device
that is connecting.
The vulnerable implementations of KDE Connect were not checking that the device
ID in the first
packet and the device ID in the second packet were the same. This could be
abused by first sending a
device ID of an unpaired device which doesn't require authentication, followed
by sending the device
ID of a paired device in order to impersonate it.
Impact
======
An attacker, by knowing the ID of a previously paired device, could impersonate
it and connect with
the privileges of that device, skipping the authentication.
Workaround
==========
Until you can upgrade to a non-vulnerable version, we advise you to stop KDE
Connect when on
untrusted networks like those on airports or conferences and/or unpair all
devices from KDE Connect.
Solution
========
Update KDE Connect on all your devices to a non-vulnerable version.
If a non-vulnerable version isn't yet available in your distribution channels,
you can apply one of
the following patches, depending on the KDE Connect implementation you use:
- KDE Connect desktop:
https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e
- KDE Connect Anddroid:
https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9
- KDE Connect iOS:
https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080
- GSConnect:
https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3
- Valent:
https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce
Credits
=======
Thanks to Florian Bauckholt for reporting this issue.
This is a coordinated advisory between KDE Connect, GSConnect and Valent.
https://kde.org/info/security/advisory-20251128-1.txt
