Improper Validation of Specified Quantity in Input vulnerability in Text component parser of the Qt declarative module has been discovered and has been assigned the CVE id CVE-2025-12385
Affected versions: From Qt 5.0.0 to 6.5.10 and from 6.6.0 to 6.8.5 and from 6.9.0 to 6.10.0 Impact: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive. CVSS 4.0 Score: 8.7 Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Mitigation: Ensure that all input to the Qt Quick Text component is only from trusted sources or make sure that all text labels that don't require rich text are explicitly using PlainText as the format. Solution: Apply the following patches or update to Qt 6.10.1 or 6.8.6 or 6.5.11 Patches: dev: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239<https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766<https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> Qt 6.10: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687935<https://codereview.qt-project.org/c/qt/qtdeclarative/+/687935?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/qtdeclarative/+/687936<https://codereview.qt-project.org/c/qt/qtdeclarative/+/687936?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> or https://download.qt.io/official_releases/qt/6.10/CVE-2025-12385-qtdeclarative-6.10-0001.diff and https://download.qt.io/official_releases/qt/6.10/CVE-2025-12385-qtdeclarative-6.10-0002.diff Qt 6.9: https://codereview.qt-project.org/c/qt/qtdeclarative/+/692460<https://codereview.qt-project.org/c/qt/qtdeclarative/+/692460?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/qtdeclarative/+/690033<https://codereview.qt-project.org/c/qt/qtdeclarative/+/690033?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> or https://download.qt.io/official_releases/qt/6.9/CVE-2025-12385-qtdeclarative-6.9-0001.diff and https://download.qt.io/official_releases/qt/6.9/CVE-2025-12385-qtdeclarative-6.9-0002.diff Qt 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687955<https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687955?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687954<https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687954?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> or https://download.qt.io/official_releases/qt/6.8/CVE-2025-12385-qtdeclarative-6.8-0001.diff and https://download.qt.io/official_releases/qt/6.8/CVE-2025-12385-qtdeclarative-6.8-0002.diff Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688673<https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688673?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> and https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688672<https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688672?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz--jOxONWK4pRbrYopgXDvpHhVUhMRzU0pigl3hr69nsu_omAN0yHEq_j2wM7tMiS7nUCMZj> or https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0001.diff and https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0002.diff ______________________ Tuukka Kettunen Senior Manager, Technical Support, Customer Engineering The Qt Company Tutkijantie 4C FI-90590 Oulu Finland Confidential
_______________________________________________ Announce mailing list [email protected] https://lists.qt-project.org/listinfo/announce
-- Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
