KDE Connect security advisory released due to possible authentication bypass

By Liam Dawe - 1 Dec 2025 at 11:31 am UTC

Last updated: 1 Dec 2025 at 11:31 am UTC

KDE Connect is a popular cross-platform app that allows you to send files across devices and more - with a security advisory being sent out due to a woops. Noted as CVE-2025-66270, that woops could allow an attacker to entirely skip proper authentication.

An overview of the issue:

Versions of KDE Connect released after March 2025 implement version 8 of the KDE Connect protocol. In this version, the discovery of other devices with KDE Connect on your network involves an additional packet exchange between the two devices. While the first packet is used to determine if a device is paired or not, this additional packet is used to identify the device that is connecting.

The vulnerable implementations of KDE Connect were not checking that the device ID in the first packet and the device ID in the second packet were the same. This could be abused by first sending a device ID of an unpaired device which doesn't require authentication, followed by sending the device ID of a paired device in order to impersonate it.

The vulnerable versions they list are:

KDE Connect desktop >= 25.04 and < 25.12

KDE Connect iOS >= v0.5.2 and < 0.5.4

KDE Connect Android >= v1.33.0 and < 1.34.4

GSConnect >= 59 and < 68

Valent >= v1.0.0.alpha.47 and < v1.0.0.alpha.49

The KDE developers are suggesting you stop using KDE Connect until your Linux distribution releases an update for it, or to manually patch it yourself if you're able to.

See more in the security advisory.

Article taken from GamingOnLinux.com.

Tags: Security, Apps, KDE, Misc

6 Likes

About the author - Liam Dawe

I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me

Some you may have missed, popular articles from the last month:

Humble Choice for November 2025 has Total War: WARHAMMER III

WinBoat adds support for Podman, UWP, app filtering and more

Playnite may get a Linux version during 2026 as the creator plans a move to Linux

The Many Sins of House Ocampo is one to watch for point and click mystery adventure fans

All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.

2 comments

Eike 1 hour ago

Flag

Supporter Plus

What a nice piece of software, this! emoji

1 Likes

emphy 1 hour ago

Flag

A bit fuzzy on why the communications seem to not be secured in a manner that prevents this from becoming a problem.

I.e.: I would have expected encrypted channels to make the question of authentication moot. If they aren't, I would strongly suggest not using kde connect on public/unknown networks regardless of the bug mentioned in the article.

Last edited by emphy on 1 Dec 2025 at 2:01 pm UTC

0 Likes

While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations:

PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!