CVE-2025-12385 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-1284 (Improper Validation of Specified Quantity in Input) affecting The Qt Company’s Qt framework. The vulnerability specifically targets the Text component in Qt Quick, where the width and height attributes of the <img> tag are not properly validated. This allows an attacker to specify excessively large dimensions for images, causing the application to allocate excessive memory or processing resources. The flaw affects multiple platforms including Windows, macOS, Linux, iOS, Android, and architectures such as x86, ARM, 64-bit, and 32-bit, covering a broad range of devices and environments. The affected Qt versions span from 5.0.0 through 6.5.10, 6.6.0 through 6.8.5, and 6.9.0 through 6.10.0, indicating that many deployed applications may be vulnerable. Exploitation requires no privileges or user interaction and can be triggered remotely by supplying malicious input that includes crafted <img> tags with large dimension values. The result is an application becoming unresponsive, effectively a denial-of-service condition. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no authentication or user interaction, no confidentiality or integrity impact, but high availability impact. No patches are currently linked, and no exploits are known in the wild, but the severity and ease of exploitation make this a critical issue for developers and organizations relying on Qt. The vulnerability underscores the importance of input validation and resource management in UI components that process external data.

For European organizations, the primary impact is denial of service due to application unresponsiveness, which can disrupt business operations, especially for software products or services built on Qt. Industries relying on embedded systems, IoT devices, automotive software, and cross-platform applications are particularly at risk. The vulnerability could be exploited to degrade service availability in customer-facing applications or critical infrastructure management tools. Given Qt’s widespread use in various sectors, including telecommunications, automotive, industrial automation, and consumer electronics, the impact could extend to critical services and supply chains. The lack of authentication or user interaction requirements means attackers can remotely trigger the vulnerability, increasing the risk of widespread disruption. Additionally, organizations may face reputational damage and compliance challenges if service outages affect end users or violate service-level agreements. The broad platform support means that both desktop and mobile applications in Europe are vulnerable, amplifying the potential operational impact.

Organizations should prioritize updating Qt to patched versions once they become available from The Qt Company. Until patches are released, developers should implement strict input validation and sanitization on any user-supplied content that includes <img> tags or other UI elements capable of specifying resource-intensive attributes. Application-level throttling or limits on image dimensions should be enforced to prevent excessive resource allocation. Monitoring application performance and resource usage can help detect anomalous behavior indicative of exploitation attempts. For embedded or IoT devices where updates may be slower, network-level protections such as web application firewalls (WAFs) can be configured to block or limit suspicious payloads containing large dimension attributes. Security teams should also review their software supply chain to identify Qt usage and prioritize remediation accordingly. Finally, educating developers about secure coding practices related to resource management and input validation in UI components will reduce future risks.