Skip to main content

Security advisory: Improper validation of img tag size in Text component parser in Qt declarative module impacts Qt

Dec 3, 2025

by Tuukka Kettunen
Comments

Improper Validation of Specified Quantity in Input vulnerability in Text component parser of the Qt declarative module has been discovered and has been assigned the CVE id CVE-2025-12385 

Affected versions: From Qt 5.0.0 to 6.5.10 and from 6.6.0 to 6.8.5 and from 6.9.0 to 6.10.0

Impact: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.

This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive.

CVSS 4.0 Score: 8.7

Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Mitigation: Ensure that all input to the Qt Quick Text component is only from trusted sources or make sure that all text labels that don't require rich text are explicitly using PlainText as the format.

Solution: Apply the following patches or update to Qt 6.10.1 or 6.8.6 or 6.5.11

Patches:

dev: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239 and https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766

Qt 6.10: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687935 and
https://codereview.qt-project.org/c/qt/qtdeclarative/+/687936 or https://download.qt.io/official_releases/qt/6.10/CVE-2025-12385-qtdeclarative-6.10-0001.diff and https://download.qt.io/official_releases/qt/6.10/CVE-2025-12385-qtdeclarative-6.10-0002.diff

Qt 6.9: https://codereview.qt-project.org/c/qt/qtdeclarative/+/692460 and https://codereview.qt-project.org/c/qt/qtdeclarative/+/690033 or https://download.qt.io/official_releases/qt/6.9/CVE-2025-12385-qtdeclarative-6.9-0001.diff and https://download.qt.io/official_releases/qt/6.9/CVE-2025-12385-qtdeclarative-6.9-0002.diff

Qt 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687955 and https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687954 or https://download.qt.io/official_releases/qt/6.8/CVE-2025-12385-qtdeclarative-6.8-0001.diff and https://download.qt.io/official_releases/qt/6.8/CVE-2025-12385-qtdeclarative-6.8-0002.diff

Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688673 and https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688672 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0001.diff and https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0002.diff

 

 

Blog Topics

Comments

Subscribe to our blog

Try Qt 6.11 Now!

Download the latest release here: www.qt.io/download

Qt 6.11 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Related Articles

Security advisory: Recently reported dr_wav issue impacts Qt

Security advisory: Recently reported dr_wav issue impacts Qt

A recently reported issue regarding the loading of specifically crafted..

Read Article
Qt Quick Certification Tests Published

Qt Quick Certification Tests Published

In 2025, we launched the Qt Certification Testing Platform with the Qt..

Read Article
Congratulations Qt Champions 2025!

Congratulations Qt Champions 2025!

Through the Qt Project, both The Qt Group and a global community of..

Read Article