Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-12385

CVE-2025-12385: Qt Text Component DoS Vulnerability

CVE-2025-12385 is a denial of service vulnerability in Qt's Text component that causes excessive allocation through unvalidated img tag dimensions. This post covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-12385 Overview

CVE-2025-12385 is a resource exhaustion vulnerability in The Qt Company's Qt framework. The flaw resides in the Text component of Qt Quick, where the rendering engine fails to validate the width and height attributes of HTML <img> tags. An attacker who controls the rich text input passed to a Text element can specify arbitrarily large image dimensions, triggering excessive memory allocation. The application becomes unresponsive, producing a denial-of-service condition.

The vulnerability is classified under [CWE-770] (Allocation of Resources Without Limits or Throttling) and affects Qt versions across Windows, macOS, Linux, iOS, and Android on both 32-bit and 64-bit architectures.

Critical Impact

Remote attackers can render Qt-based applications unresponsive by supplying crafted <img> tags with oversized dimensions to any Text component that processes untrusted rich text.

Affected Products

  • Qt 5.0.0 through 6.5.10
  • Qt 6.6.0 through 6.8.5
  • Qt 6.9.0 through 6.10.0

Discovery Timeline

  • 2025-12-03 - CVE-2025-12385 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-12385

Vulnerability Analysis

The Qt Quick Text component supports a subset of HTML for rich text rendering, including the <img> tag for inline images. When parsing the tag, the framework reads the width and height attributes and uses them to allocate image buffers and layout space. The implementation does not enforce upper bounds on these values, nor does it validate them against available memory.

An attacker who can influence the text content rendered by a Text element can supply dimensions such as width="999999999" and height="999999999". The renderer attempts to satisfy the allocation request, exhausting CPU and memory resources. Patches were submitted upstream as Qt Project Code Review #687239 and Qt Project Code Review #687766.

Root Cause

The root cause is missing input validation in the rich text parser within the qtdeclarative module. Image dimension attributes are accepted without sanity checks against reasonable bounds, the rendering surface size, or platform memory limits. This represents a classic instance of [CWE-770], where untrusted input directly drives resource allocation.

Attack Vector

Exploitation requires no authentication or user interaction beyond rendering the malicious content. Any Qt Quick application that displays attacker-controlled rich text — including chat clients, email viewers, RSS readers, embedded HMIs, and mobile apps — is exposed. The attack surface extends to network-delivered content, file imports, and inter-process messages that flow into a Text element.

The vulnerability manifests when the parser processes an <img> tag with crafted width and height attributes. See the linked Qt Project code reviews for the upstream fix that introduces bounds checking on these attributes.

Detection Methods for CVE-2025-12385

Indicators of Compromise

  • Qt-based application processes consuming abnormally high memory or CPU shortly after receiving external content.
  • Application hangs or crashes correlated with inbound rich text messages containing <img> tags.
  • Logs or crash dumps showing allocation failures originating from the qtdeclarative rendering pipeline.

Detection Strategies

  • Inventory deployed software to identify applications built against vulnerable Qt versions (5.0.0–6.5.10, 6.6.0–6.8.5, 6.9.0–6.10.0).
  • Inspect inbound message content for <img> tags with numerically extreme width or height attribute values.
  • Monitor process memory growth rate on hosts running Qt Quick applications and flag rapid spikes.

Monitoring Recommendations

  • Enable application crash and hang telemetry from endpoints running Qt-based software.
  • Correlate memory exhaustion events with the parent process binary and its linked Qt libraries.
  • Track outbound and inbound rich text channels feeding Qt applications, such as XMPP, IRC, or proprietary messaging protocols.

How to Mitigate CVE-2025-12385

Immediate Actions Required

  • Identify all Qt-based applications in the environment and determine their linked Qt version.
  • Apply the patches from the Qt Project code reviews referenced above, or upgrade to a fixed Qt release once distributed by vendors.
  • For applications that ship Qt as a bundled dependency, contact the application vendor for an updated build.

Patch Information

The Qt Project addressed the issue through two upstream changes that add validation of <img> dimension attributes: Qt Project Code Review #687239 and Qt Project Code Review #687766. Downstream releases incorporating these fixes are expected in Qt versions beyond 6.5.10, 6.8.5, and 6.10.0.

Workarounds

  • Sanitize all untrusted rich text before passing it to a Text element. Strip or rewrite <img> tags, or clamp width and height attribute values to safe bounds.
  • Where rich text is not required, set textFormat: Text.PlainText on Qt Quick Text components to disable HTML parsing entirely.
  • Apply per-process memory limits using OS-level controls such as cgroups on Linux or Job Objects on Windows to contain runaway allocations.
bash
# Example: enforce a 512 MB memory ceiling on a Qt application using systemd
systemd-run --scope -p MemoryMax=512M /usr/bin/my-qt-app

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.