CVE-2025-5455

02.06.2025, 09:15

An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.

If the function was called with malformed data, for example, an URL that
contained a "charset" parameter that lacked a value (such as
"data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service
(abort).

This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
TQtC	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Debian Releases

Debian Product

Codename

qt6-base

bookworm	vulnerable
trixie	vulnerable
sid	vulnerable

qtbase-opensource-src

bullseye	vulnerable
bookworm	vulnerable
trixie	vulnerable
sid	vulnerable

qtbase-opensource-src-gles

bullseye	vulnerable
bookworm	vulnerable
trixie	vulnerable
sid	vulnerable

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Vulnerability Media Exposure

[GERMAN] QT: Schwachstelle ermöglicht Denial of Service
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in QT ausnutzen, um einen Denial of Service Angriff durchzuführen.
Published: 2025-06-02T22:00:00+00:00

References

https://codereview.qt-project.org/c/qt/qtbase/+/642006