CVE-2025-32898

EUVD-2025-201337
The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.7 MEDIUM
ADJACENT_NETWORK
HIGH
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
mitreCNA
4.7 MEDIUM
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Debian logo
Debian Releases
Debian Product
Codename
gnome-shell-extension-gsconnect
bookworm
ignored
bullseye
ignored
forky
71-1
fixed
sid
71-1
fixed
trixie
62-1+deb13u1
fixed
trixie (security)
62-1+deb13u1
fixed
kdeconnect
bookworm
ignored
bullseye
ignored
forky
25.11.80+git20251121.7090b106-1
fixed
sid
25.11.80+git20251121.7090b106-1
fixed
trixie
25.04.2-1+deb13u1
fixed
trixie (security)
25.04.2-1+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnome-shell-extension-gsconnect
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
not-affected
questing
not-affected
kdeconnect
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://kde.org/info/security/advisory-20250418-3.txt
https://kdeconnect.kde.org