fkie_cve-2025-5455
Vulnerability from fkie_nvd
Published
2025-06-02 09:15
Modified
2025-06-02 17:32
Severity ?
8.4 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/R:U/RE:M/U:Clear
Summary
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
References
a59d8014-47c4-4630-ab43-e1b13cbe58e3https://codereview.qt-project.org/c/qt/qtbase/+/642006
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.\n\nIf the function was called with malformed data, for example, an URL that\ncontained a \"charset\" parameter that lacked a value (such as\n\"data:charset,\"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service\n(abort).\n\nThis impacts Qt up to 5.15.18, 6.0.0-\u003e6.5.8, 6.6.0-\u003e6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un problema en la funci\u00f3n privada de la API qDecodeDataUrl() de QtCore, utilizada en QTextDocument y QNetworkReply, y, potencialmente, en el c\u00f3digo de usuario. Si la funci\u00f3n se llamaba con datos mal formados, por ejemplo, una URL que conten\u00eda un par\u00e1metro \"charset\" sin valor (como \"data:charset,\"), y Qt se compilaba con aserciones habilitadas, se encontraba con una aserci\u00f3n, lo que resultaba en una denegaci\u00f3n de servicio (abortar). Esto afecta a Qt hasta las versiones 5.15.18, 6.0.0-\u0026gt;6.5.8, 6.6.0-\u0026gt;6.8.3 y 6.9.0. Se ha corregido en las versiones 5.15.19, 6.5.9, 6.8.4 y 6.9.1."
    }
  ],
  "id": "CVE-2025-5455",
  "lastModified": "2025-06-02T17:32:17.397",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "USER",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "CLEAR",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:Clear",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "MODERATE"
        },
        "source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-02T09:15:21.493",
  "references": [
    {
      "source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
      "url": "https://codereview.qt-project.org/c/qt/qtbase/+/642006"
    }
  ],
  "sourceIdentifier": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.