| Name | CVE-2025-66270 |
| Description | The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-6063-1, DSA-6066-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| gnome-shell-extension-gsconnect (PTS) | bookworm | 54-2 | fixed |
| trixie | 62-1 | vulnerable | |
| trixie (security) | 62-1+deb13u1 | fixed | |
| forky, sid | 71-1 | fixed | |
| kdeconnect (PTS) | bullseye | 20.12.3-2 | fixed |
| bookworm | 22.12.3-1 | fixed | |
| trixie | 25.04.2-1 | vulnerable | |
| trixie (security) | 25.04.2-1+deb13u1 | fixed | |
| forky, sid | 25.11.80+git20251121.7090b106-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| gnome-shell-extension-gsconnect | source | bookworm | (not affected) | |||
| gnome-shell-extension-gsconnect | source | trixie | 62-1+deb13u1 | DSA-6066-1 | ||
| gnome-shell-extension-gsconnect | source | (unstable) | 71-1 | |||
| kdeconnect | source | bullseye | (not affected) | |||
| kdeconnect | source | bookworm | (not affected) | |||
| kdeconnect | source | trixie | 25.04.2-1+deb13u1 | DSA-6063-1 | ||
| kdeconnect | source | (unstable) | 25.11.80+git20251121.7090b106-1 |
[bookworm] - kdeconnect <not-affected> (Vulnerable code not present)
[bullseye] - kdeconnect <not-affected> (Vulnerable code not present)
[bookworm] - gnome-shell-extension-gsconnect <not-affected> (Vulnerable code not present)
https://kde.org/info/security/advisory-20251128-1.txt
Fixed by: https://invent.kde.org/network/kdeconnect-kde/-/commit/1d757349d0f517ef12c119565ffb1f79503fbcdf (v25.11.90)
Introduced by: https://invent.kde.org/network/kdeconnect-kde/-/commit/98256fda3dfdf50edd7555f21cba46fd1e596523 (v25.03.80)
Fixed by: https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/3223595bb648ad09afd150ec56dadfe1f33bd641 (v70)
Introduced by: https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/cf099c63c7981e69bd095fcbe3215cf87b5328f8 (v59)