CVE-2025-69412
Unknown Unknown - Not Provided
SSL Error Ignored in KDE messagelib Phishing API Causes Spoofing

Publication date: 2026-01-01

Last updated on: 2026-01-01

Assigner: MITRE

Description
KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-01-01
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kde messagelib to 25.11.90 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in KDE messagelib before version 25.11.90 involves ignoring SSL errors when using the Google Safe Browsing Lookup API's threatMatches.find method. Because SSL errors were ignored unconditionally, an attacker could perform a man-in-the-middle attack or spoof phishing API responses, potentially causing the application to accept forged or tampered phishing threat data. The vulnerability arises from the code calling ignoreSslErrors() on network replies, which bypasses SSL validation and undermines the security of phishing URL checks. [2]

Impact Analysis

This vulnerability can impact you by allowing attackers to spoof phishing threat data returned by the Google Safe Browsing Lookup API. If SSL errors are ignored, an attacker could intercept or modify the phishing API responses, causing the application to trust malicious URLs as safe or fail to detect phishing threats. This undermines the integrity of phishing detection, potentially exposing users to phishing attacks and related security risks. [2]

Detection Guidance

This vulnerability relates to KDE messagelib ignoring SSL errors when using the Google Safe Browsing Lookup API's threatMatches.find method. To detect exploitation attempts or related issues on your system or network, you can monitor network traffic for HTTPS requests to Google's Safe Browsing Lookup API endpoints and check for SSL errors or unusual SSL warnings in application logs. Since the vulnerability involves ignoring SSL errors, look for any logs or network captures showing SSL handshake failures or man-in-the-middle attempts during these API calls. Specific commands might include using network monitoring tools like 'tcpdump' or 'Wireshark' to capture traffic to Google's Safe Browsing API endpoints, and checking application logs for SSL error messages. For example, a tcpdump command to capture traffic to Google's Safe Browsing API could be: tcpdump -i <interface> host safebrowsing.googleapis.com and port 443. Additionally, reviewing KDE messagelib logs for any SSL error handling or ignoring indications can help detect the vulnerability's presence or exploitation. [1, 2]

Mitigation Strategies

To mitigate this vulnerability, update KDE messagelib to version 25.11.90 or later, where the issue has been fixed by removing the code that ignored SSL errors when communicating with Google's phishing API. This update enforces strict SSL validation, preventing acceptance of forged or tampered phishing data. Additionally, ensure that strict transport security is enabled and monitor for any SSL errors during API communications. Avoid using configurations that disable SSL error checking or ignore SSL warnings. If updating immediately is not possible, consider disabling the use of the Google Safe Browsing Lookup API in messagelib until the patch can be applied. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69412. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart