CVE-2025-30348
Publication date 21 March 2025
Last updated 11 July 2025
Ubuntu priority
Description
encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| qt6-base | 25.10 questing |
Not affected
|
| 25.04 plucky |
Not affected
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal | Not in release | |
| qtbase-opensource-src | 25.10 questing | Ignored only affects Qt6 |
| 25.04 plucky | Ignored only affects Qt6 | |
| 24.04 LTS noble | Ignored only affects Qt6 | |
| 22.04 LTS jammy | Ignored only affects Qt6 | |
| 20.04 LTS focal | Ignored only affects Qt6 | |
| 18.04 LTS bionic | Ignored only affects Qt6 | |
| 16.04 LTS xenial | Ignored only affects Qt6 | |
| qtbase-opensource-src-gles | 25.10 questing |
Needs evaluation
|
| 25.04 plucky |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.8 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-30348
- https://github.com/qt/qtbase/commit/2ce08e3671b8d18b0284447e5908ce15e6e8f80f (v6.9.0-beta1)
- https://github.com/qt/qtbase/commit/225e235cf966a44af23dbe9aaaa2fd20ab6430ee (v6.8.0-rc1)
- https://codereview.qt-project.org/c/qt/qtbase/+/581442
- https://bugreports.qt.io/browse/QTBUG-127549