CVE-2025-5455: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in the private API function qDecodeDataUrl() in QtCore, which is utilized in QTextDocument and QNetworkReply components. The vulnerability affects Qt versions up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3, and 6.9.0. The issue was disclosed on June 2, 2025 (NVD).

The vulnerability occurs when the qDecodeDataUrl() function is called with malformed data, specifically when processing URLs containing a 'charset' parameter without a value (e.g., 'data:charset,'). When Qt is built with assertions enabled, this malformed input triggers an assertion, resulting in a denial of service condition through application abort. The vulnerability has been assigned a CVSS 4.0 base score of 8.4 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/R:U/RE:M/U:Clear. The issue has been classified as CWE-20 (Improper Input Validation) (NVD).

When exploited, this vulnerability can lead to a denial of service condition by causing the application to abort when processing specially crafted input. This affects applications using QtCore's text document and network reply functionalities (NVD).

The vulnerability has been fixed in Qt versions 5.15.19, 6.5.9, 6.8.4, and 6.9.1. Users are advised to upgrade to these patched versions to mitigate the issue (NVD).