Denial of Service Vulnerability in QtCore Affecting Multiple Versions of Qt Framework
CVE-2025-5455

8.4HIGH

Key Information:

Vendor: The Qt Company
Status: Qt
Vendor: CVE Published:; 2 June 2025

🔔 Create The Qt Company Vulnerability Alert

What is CVE-2025-5455?

A flaw in the private API function qDecodeDataUrl() in QtCore affects certain versions of the Qt Framework, particularly impacting QTextDocument and QNetworkReply. When this function is mishandled with malformed data, such as a URL that includes a 'charset' parameter without a value, it triggers an assertion failure, leading to an unexpected application abort. This vulnerability can be exploited to execute denial of service attacks, disrupting application availability. The issue has been addressed in the latest updates of Qt Framework, including versions 5.15.19, 6.5.9, 6.8.4, and 6.9.1, highlighting the importance of upgrading to secure systems.

Affected Version(s)

Qt 0 <= 5.15.18

Qt 6.0.0 <= 6.5.8

Qt 6.6.0 <= 6.8.3

References

https://codereview.qt-project.org/c/qt/qtbase/+/642006

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2025
Vulnerability Reserved
Jun 2, 2025