[Development] [Announce] Security advisory: A Denial-of-Service type of security issue in Qt XML module impacts Qt
List for announcements regarding Qt releases and development via Announce
announce at qt-project.org
Mon Apr 7 13:38:43 CEST 2025
A Denial-of-Service type of security issue in QDom classes of Qt XML module has been discovered and has been assigned the CVE id CVE-2025-30348.
Affected versions: Up to 5.15.18, 6.0.0 to 6.5.8, and 6.6.0 to 6.7.3.
Impact: When QDom classes are used to write XML with long text segments, QDomNode::save() could hit a quadratic-complexity code path, potentially leading to a DoS if an attacker can control the rate and contents of XML serializations performed by the application, e.g. if the application packages attacker-supplied text in XML, including reading XML, changing it, and writing it back.
To mitigate the issue, we advise to enforce implementation limits on the size of text and attributes accepted into QDom or port the application to QXmlStreamReader/Writer.
Solution: Apply the following patch or update to Qt 6.9.0 or 6.8.0 or 6.5.9 or 5.15.19
Patches:
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/627439 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-30348-qtbase-6.5.diff
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/632061 or https://download.qt.io/official_releases/qt/5.15/CVE-2025-30348-qtbase-5.15.diff
Regards,
Tuukka Kettunen
--
Tuukka Kettunen
Senior Manager, Technical Support
The Qt Company
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250407/bdf0f47d/attachment-0001.htm>
-------------- next part --------------
_______________________________________________
Announce mailing list
Announce at qt-project.org
https://lists.qt-project.org/listinfo/announce
More information about the Development
mailing list