CVE-2025-14575 Overview
CVE-2025-14575 is an Uncontrolled Search Path Element vulnerability [CWE-427] in the OpenSSL TLS backend of Qt Network (qtbase) on Unix-based Qt Framework deployments. A local attacker can place a crafted certificate file in an application's working directory. The Qt Network OpenSSL backend then loads that file as a trusted Certificate Authority (CA), elevating a rogue certificate to system-trusted status for the affected process.
The flaw enables certificate trust manipulation scoped to applications that rely on Qt Network for TLS validation. Exploitation requires local access and high privileges, which limits real-world risk.
Critical Impact
A local attacker who can write to an application's working directory can introduce a rogue CA, breaking TLS trust assumptions for Qt-based applications and enabling man-in-the-middle interception of outbound TLS connections.
Affected Products
- Qt Framework (Unix) — Qt Network module (qtbase)
- Qt Network OpenSSL TLS backend
- Applications built against affected Qt Network releases on Unix platforms
Discovery Timeline
- 2026-05-19 - CVE-2025-14575 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2025-14575
Vulnerability Analysis
The Qt Network module provides TLS functionality through pluggable backends, including an OpenSSL backend used on most Unix platforms. During initialization, the backend assembles a list of locations to search for CA certificates. The vulnerability stems from the inclusion of an untrusted path — the process's current working directory — in that search routine.
When a Qt-based application starts, the OpenSSL backend reads candidate certificate files from the working directory and incorporates them into the trusted CA set. An attacker who can drop a file such as a crafted PEM into that directory causes the rogue certificate to be elevated to a trusted system authority for the duration of the process.
With that rogue CA in place, the attacker can forge TLS server certificates and intercept or modify TLS traffic terminated by the affected application. The trust manipulation persists for the lifetime of the process. See the Qt Project Code Review for the upstream patch and code-level details.
Root Cause
The root cause is classified as CWE-427: Uncontrolled Search Path Element. The OpenSSL backend treats the working directory as an authoritative source for CA material rather than restricting trust to vetted system locations such as /etc/ssl/certs.
Attack Vector
Attack vector is local. The attacker must already have a foothold on the host with privileges sufficient to write into the working directory of the targeted Qt application. There is no network-reachable exploitation path, no public proof-of-concept, and no evidence of in-the-wild abuse.
The vulnerability is described in prose only — no verified exploitation code is published. Refer to the upstream Qt code review for the affected logic and remediation.
Detection Methods for CVE-2025-14575
Indicators of Compromise
- Unexpected certificate files (for example .pem, .crt, cert.pem, ca-bundle.crt) present in the working directory of Qt-based application processes.
- TLS sessions from Qt applications validating against issuers not present in the host's system CA store.
- Filesystem writes to application working directories by user accounts that should not modify those locations.
Detection Strategies
- Inventory Qt-based applications on Unix endpoints and audit their runtime working directories for stray certificate files.
- Monitor process telemetry for open() or read() calls on certificate-shaped filenames originating from non-standard paths.
- Correlate TLS validation events with the issuing CA to flag connections trusted by an application but not by the OS trust store.
Monitoring Recommendations
- Enable file integrity monitoring on directories that serve as working directories for Qt-based services and daemons.
- Alert on certificate file creation events outside of /etc/ssl/, /etc/pki/, and other approved CA locations.
- Log and review the effective current working directory of long-running Qt applications, especially those launched from user-writable paths.
How to Mitigate CVE-2025-14575
Immediate Actions Required
- Update Qt qtbase to a version that includes the fix referenced in the Qt Project Code Review.
- Audit Qt-based applications and remove any unexpected certificate files from their working directories.
- Launch Qt applications from non-user-writable working directories where possible.
Patch Information
The upstream fix is tracked in the Qt Project Gerrit instance at Qt Project Code Review 642967. The change adjusts the OpenSSL TLS backend's CA search behavior so the working directory is no longer treated as a trusted source. Distribution and downstream maintainers should rebuild affected packages against patched qtbase sources.
Workarounds
- Run Qt-based applications from a fixed, restricted directory such as /usr/share/<app> rather than user-controlled paths.
- Restrict filesystem permissions so that only privileged accounts can write to working directories of Qt services.
- Where supported, configure Qt applications to use an explicit CA bundle via QSslConfiguration::setCaCertificates() and disable automatic system CA discovery.
# Configuration example: launch a Qt application from a non-writable working directory
cd /usr/share/myqtapp
chmod 755 /usr/share/myqtapp
chown root:root /usr/share/myqtapp
exec /usr/bin/myqtapp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
