CVE-2025-5455

Severity CVSS v4.0:
HIGH
Type:
CWE-20 Input Validation
Publication date:
02/06/2025
Last modified:
02/06/2025

Description

An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.<br /> <br /> If the function was called with malformed data, for example, an URL that<br /> contained a "charset" parameter that lacked a value (such as<br /> "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service<br /> (abort).<br /> <br /> This impacts Qt up to 5.15.18, 6.0.0-&gt;6.5.8, 6.6.0-&gt;6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

References to Advisories, Solutions, and Tools