CVE-2025-5455 Overview
A denial of service vulnerability has been discovered in the private API function qDecodeDataUrl() within Qt's QtCore library. This function is utilized by QTextDocument and QNetworkReply components, as well as potentially in user-developed applications that leverage Qt's data URL parsing capabilities.
When qDecodeDataUrl() is called with malformed input data—specifically a URL containing a "charset" parameter that lacks a value (such as data:charset,)—and Qt has been built with assertions enabled, the function triggers an assertion failure. This results in an immediate abort of the application, causing a denial of service condition.
Critical Impact
Applications built on affected Qt versions with assertions enabled can be crashed remotely by providing malformed data URLs, leading to denial of service. This affects core Qt functionality used in network requests and document processing.
Affected Products
- Qt versions up to and including 5.15.18
- Qt versions 6.0.0 through 6.5.8
- Qt versions 6.6.0 through 6.8.3
- Qt version 6.9.0
Discovery Timeline
- June 2, 2025 - CVE-2025-5455 published to NVD
- June 2, 2025 - Last updated in NVD database
Technical Details for CVE-2025-5455
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the qDecodeDataUrl() function. The function fails to properly handle edge cases where a data URL contains a malformed charset parameter. In Qt builds compiled with assertions enabled (-DQT_FORCE_ASSERTS or debug builds), encountering this malformed input causes an assertion to trigger, which immediately terminates the application via abort().
The vulnerability is particularly concerning because the affected function is used by fundamental Qt classes like QTextDocument for rendering rich text content and QNetworkReply for handling network responses. Any application that processes untrusted data URLs through these components could be vulnerable to exploitation.
Root Cause
The root cause lies in the inadequate validation of the charset parameter within data URL parsing. When the parser encounters a charset parameter followed by a comma but no actual value (e.g., data:charset,), it fails to handle this boundary condition gracefully. Instead of returning an error or using a default charset, the code path leads to an assertion that expects a non-empty charset value.
The lack of defensive programming in handling malformed input allows an attacker to craft specifically malformed data URLs that trigger the assertion failure, resulting in application termination.
Attack Vector
The attack can be executed remotely over the network (AV:N) with low complexity. An attacker needs to deliver a malformed data URL to a victim application through various channels:
- Network Responses: If an application uses QNetworkReply to fetch content from attacker-controlled servers, the malicious data URL can be embedded in the response
- Rich Text Content: Applications using QTextDocument to render HTML or rich text content can be targeted by embedding malformed data URLs in documents
- User Input Processing: Any application that processes user-supplied URLs without proper sanitization may be vulnerable
The vulnerability requires user interaction (UI:A) in most scenarios, as the victim application needs to process the attacker-supplied content. However, automated processing of network content could be exploited without direct user action.
Detection Methods for CVE-2025-5455
Indicators of Compromise
- Application crash logs showing assertion failures in Qt's URL parsing functions
- Core dumps or crash reports referencing qDecodeDataUrl() or related QtCore functions
- Sudden termination of Qt-based applications when processing external content
- Network traffic containing data URLs with malformed charset parameters (pattern: data:charset,)
Detection Strategies
- Monitor application logs for unexpected termination events or assertion failures
- Implement network intrusion detection rules to identify data URLs with empty charset parameters
- Review crash reports and core dumps for patterns indicating exploitation attempts
- Deploy application-level monitoring to detect abnormal process terminations in Qt-based applications
Monitoring Recommendations
- Enable enhanced logging for Qt applications to capture URL parsing activities
- Implement crash reporting mechanisms to quickly identify potential exploitation attempts
- Monitor network traffic for suspicious data URL patterns targeting Qt applications
- Set up alerts for repeated application crashes that may indicate ongoing attack attempts
How to Mitigate CVE-2025-5455
Immediate Actions Required
- Upgrade Qt to patched versions: 5.15.19, 6.5.9, 6.8.4, or 6.9.1
- Review and audit any custom code that uses qDecodeDataUrl() directly
- Implement input validation to sanitize data URLs before processing
- Consider disabling assertions in production builds if immediate patching is not possible (note: this is a temporary workaround only)
Patch Information
Qt has released security patches addressing this vulnerability. The fix is available in the following versions:
- Qt 5.15.19 and later for the 5.x branch
- Qt 6.5.9 and later for the 6.5 LTS branch
- Qt 6.8.4 and later for the 6.8 branch
- Qt 6.9.1 and later for the 6.9 branch
The patch details can be reviewed at the Qt Project Code Review. Organizations should prioritize upgrading to the patched versions to eliminate this vulnerability.
Workarounds
- Build Qt without assertions enabled for production deployments (reduces attack surface but may mask other issues)
- Implement application-level input filtering to reject data URLs with empty or malformed charset parameters
- Use network-level filtering to block requests containing suspicious data URL patterns
- Isolate Qt-based applications that process untrusted content in sandboxed environments
If upgrading is not immediately feasible, organizations should implement defense-in-depth measures including input validation at the application boundary. However, the recommended mitigation is to apply the official patches as soon as possible.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
