CVE-2025-5455
published 2025-06-02CVE-2025-5455: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If…
PriorityP342high8.4CVSS 4.0
AVNACLATNPRNUIAVCNVIHVAHSCNSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRUVXREMUClear
EPSS
0.31%
22.5th percentile
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.
If the function was called with malformed data, for example, an URL that
contained a "charset" parameter that lacked a value (such as
"data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service
(abort).
This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qt6-base | < qt6-base 6.8.2+dfsg-8 (forky) | qt6-base 6.8.2+dfsg-8 (forky) |
| debian | qtbase-opensource-src | < qt6-base 6.8.2+dfsg-8 (forky) | qt6-base 6.8.2+dfsg-8 (forky) |
| debian | qtbase-opensource-src-gles | < qt6-base 6.8.2+dfsg-8 (forky) | qt6-base 6.8.2+dfsg-8 (forky) |
| msrc | azl3_qtbase_6.6.3-4_on_azure_linux_3.0 | — | — |
| msrc | cbl2_qt5-qtbase_5.12.11-18_on_cbl_mariner_2.0 | — | — |
| the_qt_company | qt | <= 5.15.18 | — |
| the_qt_company | qt | — | — |
| the_qt_company | qt | 6.0.0 – 6.5.8 | — |
| the_qt_company | qt | 6.6.0 – 6.8.3 | — |
CVSS provenance
nvdv4.08.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:Clear
osv8.4HIGH
vendor_debian8.4HIGH
vendor_redhat8.4HIGH
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Possible denial of service when passing malformed data in a URL to qDecodeDataUrl
vendor_msrc·2025-06-10·CVSS 6.5
CVE-2025-5455 [HIGH] CWE-20 Possible denial of service when passing malformed data in a URL to qDecodeDataUrl
Possible denial of service when passing malformed data in a URL to qDecodeDataUrl
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
TQtC: TQtC
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Red Hat
qt6-qtbase: qt5-qtbase: QtCore Assertion Failure Denial of Service
vendor_redhat·2025-06-02·CVSS 8.4
CVE-2025-5455 [HIGH] CWE-20 qt6-qtbase: qt5-qtbase: QtCore Assertion Failure Denial of Service
qt6-qtbase: qt5-qtbase: QtCore Assertion Failure Denial of Service
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.
If the function was called with malformed data, for example, an URL that
contained a "charset" parameter that lacked a value (such as
"data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service
(abort).
This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
A flaw was found in QtCore's qDecodeDataUrl() function. This vulnerability allows an application level denial of service via a malformed data URL with a missing charset value when a
Debian
CVE-2025-5455: qt6-base - An issue was found in the private API function qDecodeDataUrl() in QtCore, which...
vendor_debian·2025·CVSS 8.4
CVE-2025-5455 [HIGH] CVE-2025-5455: qt6-base - An issue was found in the private API function qDecodeDataUrl() in QtCore, which...
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
Scope: local
bookworm: open
forky: resolved (fixed in 6.8.2+dfsg-8)
sid: resolved (fixed in 6.8.2+dfsg-8)
trixie: resolved (fixed in 6.8.2+dfsg-8)
OSV
CVE-2025-5455: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user
osv·2025-06-02·CVSS 8.4
CVE-2025-5455 [HIGH] CVE-2025-5455: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
GHSA
GHSA-5cfg-qhv9-4842: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user
ghsa_unreviewed·2025-06-02
CVE-2025-5455 [HIGH] CWE-20 GHSA-5cfg-qhv9-4842: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.
If the function was called with malformed data, for example, an URL that
contained a "charset" parameter that lacked a value (such as
"data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service
(abort).
This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-02
Published