Linux

KDE Connect is a popular cross-platform app that allows you to send files across devices and more - with a security advisory being sent out due to a woops. Noted as CVE-2025-66270, that woops could allow an attacker to entirely skip proper authentication.

An overview of the issue:

Versions of KDE Connect released after March 2025 implement version 8 of the KDE Connect protocol. In this version, the discovery of other devices with KDE Connect on your network involves an additional packet exchange between the two devices. While the first packet is used to determine if a device is paired or not, this additional packet is used to identify the device that is connecting.

The vulnerable implementations of KDE Connect were not checking that the device ID in the first packet and the device ID in the second packet were the same. This could be abused by first sending a device ID of an unpaired device which doesn't require authentication, followed by sending the device ID of a paired device in order to impersonate it.

The vulnerable versions they list are:

KDE Connect desktop >= 25.04 and < 25.12
KDE Connect iOS >= v0.5.2 and < 0.5.4
KDE Connect Android >= v1.33.0 and < 1.34.4
GSConnect >= 59 and < 68
Valent >= v1.0.0.alpha.47 and < v1.0.0.alpha.49

The KDE developers are suggesting you stop using KDE Connect until your Linux distribution releases an update for it, or to manually patch it yourself if you're able to.

See more in the security advisory.