[Development] [Announce] Security advisory: Improper validation of img tag size in Text component parser in Qt declarative module impacts Qt
List for announcements regarding Qt releases and development via Announce
announce at qt-project.org
Fri Dec 5 03:24:55 CET 2025
Improper Validation of Specified Quantity in Input vulnerability in Text component parser of the Qt declarative module has been discovered and has been assigned the CVE id CVE-2025-12385
Affected versions: From Qt 5.0.0 to 6.5.10 and from 6.6.0 to 6.8.5 and from 6.9.0 to 6.10.0
Impact: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.
This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive.
CVSS 4.0 Score: 8.7
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Mitigation: Ensure that all input to the Qt Quick Text component is only from trusted sources or make sure that all text labels that don't require rich text are explicitly using PlainText as the format.
Solution: Apply the following patches or update to Qt 6.10.1 or 6.8.6 or 6.5.11
Patches:
dev: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239<https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766<https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj>
Qt 6.10: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687935<https://codereview.qt-project.org/c/qt/qtdeclarative/+/687935?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and
https://codereview.qt-project.org/c/qt/qtdeclarative/+/687936<https://codereview.qt-project.org/c/qt/qtdeclarative/+/687936?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> or https://download.qt.io/official_releases/qt/6.10/CVE-2025-12385-qtdeclarative-6.10-0001.diff and https://download.qt.io/official_releases/qt/6.10/CVE-2025-12385-qtdeclarative-6.10-0002.diff
Qt 6.9: https://codereview.qt-project.org/c/qt/qtdeclarative/+/692460<https://codereview.qt-project.org/c/qt/qtdeclarative/+/692460?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/qtdeclarative/+/690033<https://codereview.qt-project.org/c/qt/qtdeclarative/+/690033?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> or https://download.qt.io/official_releases/qt/6.9/CVE-2025-12385-qtdeclarative-6.9-0001.diff and https://download.qt.io/official_releases/qt/6.9/CVE-2025-12385-qtdeclarative-6.9-0002.diff
Qt 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687955<https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687955?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687954<https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687954?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> or https://download.qt.io/official_releases/qt/6.8/CVE-2025-12385-qtdeclarative-6.8-0001.diff and https://download.qt.io/official_releases/qt/6.8/CVE-2025-12385-qtdeclarative-6.8-0002.diff
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688673<https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688673?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688672<https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688672?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> or https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0001.diff and https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0002.diff
______________________
Tuukka Kettunen
Senior Manager, Technical Support, Customer Engineering
The Qt Company
Tutkijantie 4C
FI-90590 Oulu
Finland
Confidential
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20251205/170ca2f2/attachment-0001.htm>
-------------- next part --------------
_______________________________________________
Announce mailing list
Announce at qt-project.org
https://lists.qt-project.org/listinfo/announce
More information about the Development
mailing list