CVE-2025-14576

NameCVE-2025-14576
DescriptionInsufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qt6-declarative (PTS)bookworm6.4.2+dfsg-1vulnerable
trixie6.8.2+dfsg-7vulnerable
forky, sid6.10.2+dfsg-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qt6-declarativesource(unstable)6.10.2+dfsg-4

Notes

https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273
https://github.com/qt/qtdeclarative/commit/1f35339b03fcb8787028e1301012a559328815fb (v6.10.2)
Search for package or bug name: Reporting problems