CVE-2025-69412
SSL Error Ignored in KDE messagelib Phishing API Causes Spoofing
Publication date: 2026-01-01
Last updated on: 2026-01-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kde | messagelib | to 25.11.90 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in KDE messagelib before version 25.11.90 involves ignoring SSL errors when using the Google Safe Browsing Lookup API's threatMatches.find method. Because SSL errors were ignored unconditionally, an attacker could perform a man-in-the-middle attack or spoof phishing API responses, potentially causing the application to accept forged or tampered phishing threat data. The vulnerability arises from the code calling ignoreSslErrors() on network replies, which bypasses SSL validation and undermines the security of phishing URL checks. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to spoof phishing threat data returned by the Google Safe Browsing Lookup API. If SSL errors are ignored, an attacker could intercept or modify the phishing API responses, causing the application to trust malicious URLs as safe or fail to detect phishing threats. This undermines the integrity of phishing detection, potentially exposing users to phishing attacks and related security risks. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to KDE messagelib ignoring SSL errors when using the Google Safe Browsing Lookup API's threatMatches.find method. To detect exploitation attempts or related issues on your system or network, you can monitor network traffic for HTTPS requests to Google's Safe Browsing Lookup API endpoints and check for SSL errors or unusual SSL warnings in application logs. Since the vulnerability involves ignoring SSL errors, look for any logs or network captures showing SSL handshake failures or man-in-the-middle attempts during these API calls. Specific commands might include using network monitoring tools like 'tcpdump' or 'Wireshark' to capture traffic to Google's Safe Browsing API endpoints, and checking application logs for SSL error messages. For example, a tcpdump command to capture traffic to Google's Safe Browsing API could be: tcpdump -i <interface> host safebrowsing.googleapis.com and port 443. Additionally, reviewing KDE messagelib logs for any SSL error handling or ignoring indications can help detect the vulnerability's presence or exploitation. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update KDE messagelib to version 25.11.90 or later, where the issue has been fixed by removing the code that ignored SSL errors when communicating with Google's phishing API. This update enforces strict SSL validation, preventing acceptance of forged or tampered phishing data. Additionally, ensure that strict transport security is enabled and monitor for any SSL errors during API communications. Avoid using configurations that disable SSL error checking or ignore SSL warnings. If updating immediately is not possible, consider disabling the use of the Google Safe Browsing Lookup API in messagelib until the patch can be applied. [2]