CVE-2025-5455

Summary

An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.

If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort).

This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

Affected Software

VendorProductVersion RangeStatus
The Qt CompanyQt0 <= 5.15.18affected
The Qt CompanyQt6.0.0 <= 6.5.8affected
The Qt CompanyQt6.5.9unaffected
The Qt CompanyQt6.6.0 <= 6.8.3affected
The Qt CompanyQt6.8.4unaffected
The Qt CompanyQt6.9.0affected
The Qt CompanyQt6.9.1unaffected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References