A Denial-of-Service type of security issue in QDom classes of Qt XML module has been discovered and has been assigned the CVE id CVE-2025-30348.
Affected versions: Up to 5.15.18, 6.0.0 to 6.5.8, and 6.6.0 to 6.7.3. Impact: When QDom classes are used to write XML with long text segments, QDomNode::save() could hit a quadratic-complexity code path, potentially leading to a DoS if an attacker can control the rate and contents of XML serializations performed by the application, e.g. if the application packages attacker-supplied text in XML, including reading XML, changing it, and writing it back. To mitigate the issue, we advise to enforce implementation limits on the size of text and attributes accepted into QDom or port the application to QXmlStreamReader/Writer. Solution: Apply the following patch or update to Qt 6.9.0 or 6.8.0 or 6.5.9 or 5.15.19 Patches: Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/627439 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-30348-qtbase-6.5.diff Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/632061 or https://download.qt.io/official_releases/qt/5.15/CVE-2025-30348-qtbase-5.15.diff Regards, Tuukka Kettunen -- Tuukka Kettunen Senior Manager, Technical Support The Qt Company
_______________________________________________ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce
-- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
