CVE-2025-5455

EUVD-2025-16625

02.06.2025, 09:15

An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.

If the function was called with malformed data, for example, an URL that
contained a "charset" parameter that lacked a value (such as
"data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service
(abort).

This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 30%

Debian Releases

Debian Product

Codename

qt6-base

bookworm	no-dsa
bullseye	postponed
forky	6.9.2+dfsg-4 fixed
sid	6.9.2+dfsg-4 fixed
trixie	6.8.2+dfsg-9+deb13u1 fixed

qtbase-opensource-src

bookworm	no-dsa
bullseye	postponed
bullseye (security)	vulnerable
forky	5.15.17+dfsg-7 fixed
sid	5.15.17+dfsg-7 fixed
trixie	5.15.15+dfsg-6 fixed

qtbase-opensource-src-gles

bookworm	5.15.8+dfsg-3 no-dsa
bullseye	5.15.2+dfsg-4 postponed
forky	5.15.17+dfsg-2 fixed
sid	5.15.17+dfsg-2 fixed
trixie	5.15.15+dfsg-2 fixed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://codereview.qt-project.org/c/qt/qtbase/+/642006