[Development] [Announce] Security advisory: Improper Link Resolution Before File Access in QFileSystemEngine in the Qt corelib module on Windows impacts Qt

List for announcements regarding Qt releases and development via Announce announce at qt-project.org
Fri May 16 15:57:06 CEST 2025 

Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows potentially allows Symlink Attacks and the use of Malicious Files. This vulnerability has been discovered and assigned the CVE ID CVE-2025-4211. The issue originates from CVE-2024-38081. The vulnerability arises from the use of the GetTempPath API, which can be exploited by attackers to manipulate temporary file paths, potentially leading to unauthorized access and privilege escalation. The affected public API in the Qt Framework is QDir::tempPath() and anything that uses it, such as QStandardPaths with TempLocation, QTemporaryDir, and QtemporaryFile.

Affected versions:
All version of Qt up to and including 5.15.18, from 6.0.0 through 6.5.8, from 6.6.0 through 6.8.1. It is fixed in Qt 5.15.19, Qt 6.5.9, Qt 6.8.2, Qt 6.9.0

Impact:
The vulnerability allows attackers to influence the temporary file path resolution, which can lead to elevation of privilege. This can be particularly dangerous if exploited by unprivileged users to gain higher-level access or execute arbitrary code with elevated permissions.

Attack Vectors:
An attacker with local access can exploit symbolic link attacks. The default temporary directory for system/privileged processes allows regular unprivileged users to create files, including following symlinks, and thus place privileged files and directories where they shouldn't be.

Vulnerability Score:
CVSS v4.0: 7.3

Solution: Apply the following patch or update to Qt 6.9.0 or 6.8.2 or 6.5.9 or 5.15.19
Patches:
6.8: https://codereview.qt-project.org/c/qt/qtbase/+/635127 or https://download.qt.io/official_releases/qt/6.8/CVE-2025-4211-qtbase-6.8.diff
6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/635259 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-4211-qtbase-6.5.diff
5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/635550 or https://download.qt.io/official_releases/qt/5.15/CVE-2025-4211-qtbase-5.15.diff

______________________
Tuukka Kettunen
Senior Manager, Technical Support
[cid:image001.png at 01DBC683.8D682630]<https://www.qt.io/>
[cid:image002.png at 01DBC683.8D682630]<https://www.facebook.com/qt/>
[cid:image003.png at 01DBC683.8D682630]<https://twitter.com/qtproject>
[cid:image004.png at 01DBC683.8D682630]<https://www.linkedin.com/company/the-qt-company/>
[cid:image005.png at 01DBC683.8D682630]<https://www.youtube.com/QtStudios>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250516/fabe5502/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6489 bytes
Desc: image001.png
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250516/fabe5502/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 695 bytes
Desc: image002.png
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250516/fabe5502/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 873 bytes
Desc: image003.png
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250516/fabe5502/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 761 bytes
Desc: image004.png
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250516/fabe5502/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 732 bytes
Desc: image005.png
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250516/fabe5502/attachment-0009.png>
-------------- next part --------------
_______________________________________________
Announce mailing list
Announce at qt-project.org
https://lists.qt-project.org/listinfo/announce

More information about the Development mailing list