CVE-2025-32898

The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.7 MEDIUM
ADJACENT_NETWORK
HIGH
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
mitreCNA
4.7 MEDIUM
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
gnome-shell-extension-gsconnect
bookworm
ignored
bullseye
ignored
trixie
62-1
fixed
trixie (security)
62-1+deb13u1
fixed
forky
71-1
fixed
sid
71-1
fixed
kdeconnect
bullseye
ignored
bookworm
ignored
trixie
25.04.2-1
fixed
trixie (security)
25.04.2-1+deb13u1
fixed
forky
25.11.80+git20251121.7090b106-1
fixed
sid
25.11.80+git20251121.7090b106-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnome-shell-extension-gsconnect
questing
not-affected
plucky
not-affected
noble
needs-triage
jammy
needs-triage
focal
needs-triage
kdeconnect
questing
needs-triage
plucky
needs-triage
noble
needs-triage
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://kde.org/info/security/advisory-20250418-3.txt
https://kdeconnect.kde.org