Overview
CVE-2025-12385 identifies a vulnerability within the Text component of the Qt Quick framework. This vulnerability stems from the lack of proper validation for the width and height attributes within the <img> tag. An attacker can exploit this by injecting excessively large values into these attributes, causing the application to allocate an unreasonable amount of resources, potentially leading to unresponsiveness or a denial-of-service (DoS) condition.
This vulnerability affects Qt versions 5.0.0 through 6.5.10, 6.6.0 through 6.8.5, and 6.9.0 through 6.10.0 across multiple platforms including Windows, MacOS, Linux, iOS, and Android, as well as architectures like x86, ARM, 64-bit, and 32-bit.
Technical Details
The core issue lies in the inadequate input validation of the width and height attributes associated with the <img> tag when rendered by Qt’s Text component within Qt Quick applications. When a large or unreasonable value is supplied for either of these attributes, the underlying rendering engine attempts to allocate memory and resources proportional to these values. This excessive allocation can exhaust available resources, resulting in a performance degradation or, in severe cases, complete application freeze.
The vulnerability is classified as “Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input,” indicating a flaw in how the application handles user-provided input related to resource allocation.
CVSS Analysis
Currently, a CVSS score has not been assigned to CVE-2025-12385. This might be because the impact is dependent on the specific application context and available system resources. Further analysis is required to accurately determine the severity. However, given the potential for denial-of-service, it’s advisable to treat this vulnerability with significant concern.
Possible Impact
The exploitation of CVE-2025-12385 can have several adverse effects:
- Denial of Service (DoS): By supplying malicious
<img>tags, an attacker can cause the application to become unresponsive, effectively denying service to legitimate users. - Performance Degradation: Even without a complete crash, the excessive resource allocation can significantly slow down the application’s performance, impacting the user experience.
- Resource Exhaustion: On systems with limited resources, this vulnerability could lead to system-wide instability as other applications compete for the dwindling resources.
Mitigation and Patch Steps
The recommended mitigation strategy is to upgrade to a Qt version that addresses this vulnerability. Specifically, users should upgrade to a version beyond the affected ranges:
- Upgrade beyond 6.5.10
- Upgrade beyond 6.8.5
- Upgrade beyond 6.10.0
Alternatively, if upgrading is not immediately feasible, consider implementing input validation on the width and height attributes of <img> tags within your Qt Quick applications. Ensure that these values are within reasonable bounds to prevent excessive resource allocation. Specifically:
- Sanitize user-provided HTML content before rendering it using Qt’s Text component.
- Implement checks to verify that image dimensions are within acceptable limits.
