CVE-2025-5455

02.06.2025, 09:15

An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.

If the function was called with malformed data, for example, an URL that
contained a "charset" parameter that lacked a value (such as
"data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service
(abort).

This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
TQtC	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Debian Releases

Debian Product

Codename

qt6-base

bookworm	no-dsa
bullseye	postponed
trixie	6.8.2+dfsg-8 fixed
sid	6.8.2+dfsg-9 fixed

qtbase-opensource-src

bullseye	postponed
bookworm	no-dsa
sid	5.15.15+dfsg-6 fixed
trixie	5.15.15+dfsg-6 fixed

qtbase-opensource-src-gles

bullseye	5.15.2+dfsg-4 postponed
bookworm	5.15.8+dfsg-3 no-dsa
sid	5.15.15+dfsg-2 fixed
trixie	5.15.15+dfsg-2 fixed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://codereview.qt-project.org/c/qt/qtbase/+/642006