CVE-2025-4211 — Link Following in Qt6-base

CWE-59 — Link Following5 documents5 sources

Severity

7.3HIGHNVD

EPSS

0.2%

top 62.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Qt6-base Debian Qtbase-opensource-src Debian Qtbase-opensource-src-gles

Timeline

PublishedMay 16

Description

Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows which potentially allows Symlink Attacks and the use of Malicious Files. Issue originates from CVE-2024-38081. The vulnerability arises from the use of the GetTempPath API, which can be exploited by attackers to manipulate temporary file paths, potentially leading to unauthorized access and privilege escalation. The affected public API in the Qt Framework is QDir:…

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P

Affected Packages3 packages

▶debiandebian/qt6-base

▶debiandebian/qtbase-opensource-src

▶debiandebian/qtbase-opensource-src-gles

🔴Vulnerability Details

GHSA

GHSA-8cgq-rf3m-gjm4: Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows which potentiall↗2025-05-16

▶

OSV

CVE-2025-4211: Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows which potentiall↗2025-05-16

▶

📋Vendor Advisories

Red Hat

qt: Improper Link Resolution Before File Access in QFileSystemEngine on Windows↗2025-05-16

▶

Debian

CVE-2025-4211: qt6-base - Improper Link Resolution Before File Access ('Link Following') vulnerability in ...↗2025

▶