CVE-2025-5455

Possible denial of service when passing malformed data in a URL to qDecodeDataUrl

CVSS 8.4 HIGHEPSS 0.3%CWE-20

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

02 jun 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/R:U/RE:M/U:Clear

Produtos afetados

The Qt Company · Qt

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://codereview.qt-project.org/c/qt/qtbase/+/642006