Improper Control of Generation of Code ('Code Injection') vulnerability in the VectorImage component of the Qt declarative module has been discovered and has been assigned the CVE id CVE-2025-14576.
Affected versions: From Qt 6.8.0 through Qt 6.8.6 and from Qt 6.10.0 through 6.10.1
Impact: Improper Control of Generation of Code ('Code Injection') vulnerability in Qt Quick on Windows, macOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows QML/JavaScript Code Injection.
This issue affects users of the VectorImage component in Qt Quick. Insufficient validation of node IDs in SVG files could allow a malicious SVG file to inject and execute arbitrary QML/JavaScript code in the application context. This requires a user to be tricked into loading a malicious SVG file. While QML execution is typically more restricted than native code execution, this could lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.
CVSS 4.0 Score: 7.4 (HIGH)
Vector String:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U
Mitigation: Only load SVG files from trusted sources when using the VectorImage component. Applications should validate and sanitize SVG content before loading, or implement additional security controls to restrict the sources of SVG files that can be loaded by users.
Solution: Apply the following patch or update to Qt 6.8.7 or Qt 6.10.2 or later:
Patches:
dev: https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273
6.10: https://codereview.qt-project.org/c/qt/qtdeclarative/+/698876 or https://download.qt.io/official_releases/qt/6.10/
6.8: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/699294 or https://download.qt.io/official_releases/qt/6.8/
