CVE-2025-5455
Severity CVSS v4.0:
HIGH
Type:
CWE-20
Input Validation
Publication date:
02/06/2025
Last modified:
02/06/2025
Description
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.<br />
<br />
If the function was called with malformed data, for example, an URL that<br />
contained a "charset" parameter that lacked a value (such as<br />
"data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service<br />
(abort).<br />
<br />
This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.