Security advisory: Improper validation of img tag size in Text component parser in Qt declarative module impacts Qt
December 03, 2025 by Tuukka Kettunen | Comments
Improper Validation of Specified Quantity in Input vulnerability in Text component parser of the Qt declarative module has been discovered and has been assigned the CVE id CVE-2025-12385
Affected versions: From Qt 5.0.0 to 6.5.10 and from 6.6.0 to 6.8.5 and from 6.9.0 to 6.10.0
Impact: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.
This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive.
CVSS 4.0 Score: 8.7
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Mitigation: Ensure that all input to the Qt Quick Text component is only from trusted sources or make sure that all text labels that don't require rich text are explicitly using PlainText as the format.
Solution: Apply the following patches or update to Qt 6.10.1 or 6.8.6 or 6.5.11
Patches:
dev: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239 and https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766
Qt 6.10: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687935 and
https://codereview.qt-project.org/c/qt/qtdeclarative/+/687936 or https://download.qt.io/official_releases/qt/6.10/CVE-2025-12385-qtdeclarative-6.10-0001.diff and https://download.qt.io/official_releases/qt/6.10/CVE-2025-12385-qtdeclarative-6.10-0002.diff
Qt 6.9: https://codereview.qt-project.org/c/qt/qtdeclarative/+/692460 and https://codereview.qt-project.org/c/qt/qtdeclarative/+/690033 or https://download.qt.io/official_releases/qt/6.9/CVE-2025-12385-qtdeclarative-6.9-0001.diff and https://download.qt.io/official_releases/qt/6.9/CVE-2025-12385-qtdeclarative-6.9-0002.diff
Qt 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687955 and https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/687954 or https://download.qt.io/official_releases/qt/6.8/CVE-2025-12385-qtdeclarative-6.8-0001.diff and https://download.qt.io/official_releases/qt/6.8/CVE-2025-12385-qtdeclarative-6.8-0002.diff
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688673 and https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/688672 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0001.diff and https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0002.diff
Blog Topics:
Comments
Subscribe to our newsletter
Subscribe Newsletter
Try Qt 6.10 Now!
Download the latest release here: www.qt.io/download.
Qt 6.10 is now available, with new features and improvements for application developers and device creators.
We're Hiring
Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.
