CVE-2025-12385 (GCVE-0-2025-12385)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:38 – Updated: 2025-12-03 21:46
VLAI?
Summary
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.
This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive.
This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Qt Company | Qt |
Affected:
5.0.0 , ≤ 6.5.10
(python)
Affected: 6.6.0 , ≤ 6.8.5 (python) Affected: 6.9.0 , ≤ 6.10.0 (python) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:46:27.767155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:46:42.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux",
"iOS",
"Android",
"x86",
"ARM",
"64 bit",
"32 bit"
],
"product": "Qt",
"vendor": "The Qt Company",
"versions": [
{
"lessThanOrEqual": "6.5.10",
"status": "affected",
"version": "5.0.0",
"versionType": "python"
},
{
"lessThanOrEqual": "6.8.5",
"status": "affected",
"version": "6.6.0",
"versionType": "python"
},
{
"lessThanOrEqual": "6.10.0",
"status": "affected",
"version": "6.9.0",
"versionType": "python"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*",
"versionEndIncluding": "6.5.10",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*",
"versionEndIncluding": "6.8.5",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*",
"versionEndIncluding": "6.10.0",
"versionStartIncluding": "6.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.\u003cbr\u003e\u003cp\u003eThis issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the \u0026lt;img\u0026gt; tag could cause an application to become unresponsive.\u003c/p\u003e\u003cp\u003eThis issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.\nThis issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the \u003cimg\u003e tag could cause an application to become unresponsive.\n\nThis issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:38:53.130Z",
"orgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"shortName": "TQtC"
},
"references": [
{
"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239"
},
{
"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper validation of \u003cimg\u003e tag size in Text component parser",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"assignerShortName": "TQtC",
"cveId": "CVE-2025-12385",
"datePublished": "2025-12-03T19:38:53.130Z",
"dateReserved": "2025-10-28T11:53:25.141Z",
"dateUpdated": "2025-12-03T21:46:42.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-12385\",\"sourceIdentifier\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"published\":\"2025-12-03T20:16:24.170\",\"lastModified\":\"2025-12-04T17:15:08.283\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.\\nThis issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the \u003cimg\u003e tag could cause an application to become unresponsive.\\n\\nThis issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"},{\"lang\":\"en\",\"value\":\"CWE-1284\"}]}],\"references\":[{\"url\":\"https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239\",\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\"},{\"url\":\"https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766\",\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-12385\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-03T21:46:27.767155Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-03T21:46:34.676Z\"}}], \"cna\": {\"title\": \"Improper validation of \u003cimg\u003e tag size in Text component parser\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-130\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-130 Excessive Allocation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"The Qt Company\", \"product\": \"Qt\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.0.0\", \"versionType\": \"python\", \"lessThanOrEqual\": \"6.5.10\"}, {\"status\": \"affected\", \"version\": \"6.6.0\", \"versionType\": \"python\", \"lessThanOrEqual\": \"6.8.5\"}, {\"status\": \"affected\", \"version\": \"6.9.0\", \"versionType\": \"python\", \"lessThanOrEqual\": \"6.10.0\"}], \"platforms\": [\"Windows\", \"MacOS\", \"Linux\", \"iOS\", \"Android\", \"x86\", \"ARM\", \"64 bit\", \"32 bit\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239\"}, {\"url\": \"https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.4.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.\\nThis issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the \u003cimg\u003e tag could cause an application to become unresponsive.\\n\\nThis issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.\u003cbr\u003e\u003cp\u003eThis issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the \u0026lt;img\u0026gt; tag could cause an application to become unresponsive.\u003c/p\u003e\u003cp\u003eThis issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1284\", \"description\": \"CWE-1284 Improper Validation of Specified Quantity in Input\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.5.10\", \"versionStartIncluding\": \"5.0.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.8.5\", \"versionStartIncluding\": \"6.6.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}, {\"criteria\": \"cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.10.0\", \"versionStartIncluding\": \"6.9.0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"a59d8014-47c4-4630-ab43-e1b13cbe58e3\", \"shortName\": \"TQtC\", \"dateUpdated\": \"2025-12-03T19:38:53.130Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-12385\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-03T21:46:42.476Z\", \"dateReserved\": \"2025-10-28T11:53:25.141Z\", \"assignerOrgId\": \"a59d8014-47c4-4630-ab43-e1b13cbe58e3\", \"datePublished\": \"2025-12-03T19:38:53.130Z\", \"assignerShortName\": \"TQtC\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-X9VJ-67G7-457M
Vulnerability from github – Published: 2025-12-03 21:31 – Updated: 2025-12-03 21:31
VLAI?
Details
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.
This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the tag could cause an application to become unresponsive.
This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.
Severity ?
{
"affected": [],
"aliases": [
"CVE-2025-12385"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-03T20:16:24Z",
"severity": "HIGH"
},
"details": "Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.\nThis issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the \u003cimg\u003e tag could cause an application to become unresponsive.\n\nThis issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.",
"id": "GHSA-x9vj-67g7-457m",
"modified": "2025-12-03T21:31:05Z",
"published": "2025-12-03T21:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12385"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
FKIE_CVE-2025-12385
Vulnerability from fkie_nvd - Published: 2025-12-03 20:16 - Updated: 2025-12-04 17:15
Severity ?
Summary
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.
This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive.
This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.\nThis issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the \u003cimg\u003e tag could cause an application to become unresponsive.\n\nThis issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0."
}
],
"id": "CVE-2025-12385",
"lastModified": "2025-12-04T17:15:08.283",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"type": "Secondary"
}
]
},
"published": "2025-12-03T20:16:24.170",
"references": [
{
"source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239"
},
{
"source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766"
}
],
"sourceIdentifier": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
},
{
"lang": "en",
"value": "CWE-1284"
}
],
"source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…