cbcvebase.
CVE-2025-5455
published 2025-06-02

CVE-2025-5455: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If…

PriorityP342high8.4CVSS 4.0
AVNACLATNPRNUIAVCNVIHVAHSCNSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRUVXREMUClear
EPSS
0.31%
22.5th percentile
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianqt6-base< qt6-base 6.8.2+dfsg-8 (forky)qt6-base 6.8.2+dfsg-8 (forky)
debianqtbase-opensource-src< qt6-base 6.8.2+dfsg-8 (forky)qt6-base 6.8.2+dfsg-8 (forky)
debianqtbase-opensource-src-gles< qt6-base 6.8.2+dfsg-8 (forky)qt6-base 6.8.2+dfsg-8 (forky)
msrcazl3_qtbase_6.6.3-4_on_azure_linux_3.0
msrccbl2_qt5-qtbase_5.12.11-18_on_cbl_mariner_2.0
the_qt_companyqt<= 5.15.18
the_qt_companyqt
the_qt_companyqt6.0.0 – 6.5.8
the_qt_companyqt6.6.0 – 6.8.3

CVSS provenance

nvdv4.08.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:Clear
osv8.4HIGH
vendor_debian8.4HIGH
vendor_redhat8.4HIGH
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.