Improper Link Resolution Vulnerability in Qt Framework by The Qt Company
CVE-2025-4211

7.3HIGH

Key Information:

Vendor: The Qt Company
Status: Qt
Vendor: CVE Published:; 16 May 2025

🔔 Create The Qt Company Vulnerability Alert

What is CVE-2025-4211?

This vulnerability in the Qt Framework's QFileSystemEngine on Windows allows attackers to exploit improper link resolution before file access. By abusing the GetTempPath API, an attacker can manipulate temporary file paths to potentially perform symlink attacks or access malicious files. This flaw is significant as it enables unauthorized access and could lead to privilege escalation, affecting public APIs such as QDir::tempPath() and related components like QTemporaryDir and QTemporaryFile. It's crucial for users of the affected versions to update to the latest releases to mitigate these risks, which have been addressed in subsequent updates.

Affected Version(s)

Qt Windows 0 <= 5.15.18

Qt Windows 6.0.0 <= 6.5.8

Qt Windows 6.6.0 <= 6.8.1

References

https://codereview.qt-project.org/c/qt/qtbase/+/632231

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2025
Vulnerability Reserved
May 2, 2025