Untrusted Search Path vulnerability in the OpenSSL backend certificate loading mechanism of Qt has been discovered and has been assigned the CVE id CVE-2025-14575.
Affected versions: Qt 5.0.0 through Qt 6.5.9 and from Qt 6.6.0 to Qt 6.8.3 and from Qt 6.9.0 to 6.9.1, on Unix and Linux platforms (excluding macOS). Impact: Untrusted Search Path vulnerability in Qt's OpenSSL backend on Unix and Linux allows loading of certificates from the current working directory under specific conditions. This issue affects applications using Qt's SSL/TLS functionality on Unix-based systems (excluding macOS). Prior to Qt 6.9.2, a combination of canonicalPath returning an empty string for broken symlinks and QSslCertificate::fromPath searching the current directory when given an empty path could result in loading unexpected certificates as trusted system certificates. The vulnerability requires specific preconditions to be exploitable: either broken symlinks must exist in the system CA certificates folder or a race condition must occur during certificate store updates, combined with the application running from an attacker-controlled directory (such as Downloads or /tmp). Successful exploitation could potentially allow an attacker to perform man-in-the-middle attacks by having malicious certificates loaded as trusted system certificates, potentially leading to information disclosure or integrity violations of encrypted communications. This vulnerability is considered minor as it requires system misconfiguration and does not affect properly configured systems that support on-demand certificate loading (most modern systems). CVSS 4.0 Score: 1.8 / Low Vector String: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Mitigation: Ensure your system is properly configured to support on-demand certificate loading (most modern systems support this by default) Verify that system CA certificate directories do not contain broken symlinks Avoid running Qt applications from untrusted directories such as Downloads, /tmp, or other world-writable locations Deploy applications with proper working directory controls Solution: Update to Qt 6.5.10 or 6.8.4 or Qt 6.9.2 or later or apply patch. Patches: Dev: https://codereview.qt-project.org/c/qt/qtbase/+/642967 6.9: https://codereview.qt-project.org/c/qt/qtbase/+/645356 or https://download.qt.io/official_releases/qt/6.9/CVE-2025-14575-qtbase-6.9.diff 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/645393 or https://download.qt.io/official_releases/qt/6.8/CVE-2025-14575-qtbase-6.8.diff 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/645812 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-14575-qtbase-6.5.diff Confidential
_______________________________________________ Announce mailing list [email protected] https://lists.qt-project.org/listinfo/announce
-- Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
