CVE-2025-5455

CVSS v2.0

9.4

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:C

Name of the Vulnerable Software and Affected Versions Qt versions 5.15.18 and earlier, 6.0.0 through 6.5.8, 6.6.0 through 6.8.3, and 6.9.0

Description An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply. If the function is called with malformed data, such as a URL containing a "charset" parameter that lacks a value, and Qt is built with assertions enabled, it would hit an assertion, resulting in a denial of service.

Recommendations For Qt versions 5.15.18 and earlier, update to version 5.15.19 or later. For Qt versions 6.0.0 through 6.5.8, update to version 6.5.9 or later. For Qt versions 6.6.0 through 6.8.3, update to version 6.8.4 or later. For Qt version 6.9.0, update to version 6.9.1 or later. As a temporary workaround, consider avoiding the use of the qDecodeDataUrl() function with potentially malformed data until a patch is available.

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2025:9462

ALSA-2025:9486

AZL-64349

AZL-64361

BDU:2025-06498

CVE-2025-5455

ECHO-A29A-8133-4B8D

INFSA-2025_9462

MGASA-2025-0212

OESA-2025-1654

OESA-2025-1655

OESA-2025-1725

OESA-2025-1757

OESA-2025-2545

OPENSUSE-SU-2025:15240-1

RHSA-2025:11841

RHSA-2025:9462

RHSA-2025:9486

RHSA-2025_9462

SUSE-SU-2025:02968-1

SUSE-SU-2025:03599-1

SUSE-SU-2025:3723-1

SUSE-SU-2025_02968-1

Affected Products

Almalinux

Debian

Red Hat

Red Os

Rocky Linux

Suse

CVE-2025-5455

Weakness Enumeration

Related Identifiers

Affected Products

References · 86