CVE-2025-12385
📋 TL;DR
This CVE describes a resource allocation vulnerability in Qt's Text component where improper validation of width and height attributes in <img> tags allows attackers to cause excessive memory allocation. This can make Qt Quick applications unresponsive through denial of service. Affected users include anyone running Qt applications with Qt Quick Text components across multiple platforms.
💻 Affected Systems
- Qt
- Qt Quick
- Applications using Qt Text component
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application unresponsiveness leading to denial of service, potentially affecting entire systems if critical applications are targeted.
Likely Case
Application becomes temporarily unresponsive or crashes when processing maliciously crafted image tags, requiring restart.
If Mitigated
Minimal impact with proper input validation and resource limits in place; applications handle oversized dimensions gracefully.
🎯 Exploit Status
Exploitation requires ability to inject or control <img> tag attributes in Qt Quick Text components. No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Qt 6.5.11, Qt 6.8.6, Qt 6.10.1 and later
Vendor Advisory: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239
Restart Required: Yes
Instructions:
1. Identify Qt version in use. 2. Upgrade to patched version: Qt 6.5.11+, Qt 6.8.6+, or Qt 6.10.1+. 3. Recompile applications with updated Qt libraries. 4. Restart affected applications.
🔧 Temporary Workarounds
Input validation in application code
allImplement custom validation for width and height attributes in image tags before passing to Qt Text components
Resource limiting
allConfigure system or application-level memory limits to prevent excessive allocation
ulimit -v [LIMIT] # Linux/macOS
Set-ProcessMitigation # Windows
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to filter malicious image tag attributes
- Disable or restrict use of Qt Quick Text components in untrusted content contexts
🔍 How to Verify
Check if Vulnerable:
Check Qt version using qmake --version or examine Qt library files. Compare against affected version ranges.Check Version:
qmake --version | grep -E 'Qt version|Using Qt version'Verify Fix Applied:
Verify Qt version is 6.5.11+, 6.8.6+, or 6.10.1+ after upgrade. Test with sample applications containing large dimension image tags.📡 Detection & Monitoring
Log Indicators:
- Application crashes or hangs related to QtQuick/Text components
- High memory allocation events followed by process termination
Network Indicators:
- Unusual patterns of image tag delivery with extremely large dimension values
SIEM Query:
process_name:"qt" AND (event_type:"crash" OR memory_usage:">90%")