CVE-2022-25255 is a sneaky vulnerability affecting Qt, a widely used framework for developing cross-platform applications. If you use Qt on Linux or UNIX (this doesn't affect Windows or macOS), this bug could allow attackers to execute a program from your application's current working directory—even when it's not in your PATH. This bug is present in all Qt versions from 5.9.x to 5.15.x (before 5.15.9), and 6.x before 6.2.4.
In this long-read, we'll break down what the vulnerability is about, how it can be exploited, look at real code snippets, and give you some pointers to secure your apps. References to the official fix and advisories are included at the end.
What Exactly Is the Bug?
Qt lets developers use the QProcess class to start and manage external programs from within their apps, similar to how you might use system() or exec() in C.
For example
QProcess process;
process.start("ls", QStringList() << "-l");
This should run the ls command from your system's PATH.
The problem:
If a malicious file named ls exists in your program's current working directory, and if ls isn't found in the user's PATH, some affected Qt versions will execute that local file instead of failing! This is unexpected and dangerous, because it can let an attacker run code with your application's permissions.
Why Is This Dangerous?
Let’s say your app runs as root, or just as a regular user in a multi-user system. If an attacker can drop a file named ls (or any executable the app might call) into your working directory, and then trigger a QProcess call for an executable not present in PATH, the malicious file gets executed.
This is what's called a "search path vulnerability." Unix shells have usually avoided this problem, but here, Qt tripped up.
Assume you're running a vulnerable Qt app. Here’s how an attacker could exploit CVE-2022-25255
1. Identify what binaries the application tries to execute via QProcess. For example, maybe it runs commands like convert, grep, etc.
2. Place a malicious executable (script or binary) with the same name as the target command in the current directory.
3. Ensure that the command is *not* present in the PATH. You could manipulate the environment, or just know it's missing.
4. Trigger the vulnerable QProcess call. When the QProcess attempts to run the missing command, it will instead execute the attacker's local file.
Suppose the application has the following code
QProcess process;
process.start("convert", QStringList() << "input.png" << "output.jpg");
./convert
#!/bin/sh
# Malicious code here:
id > /tmp/attacker.txt
# Optionally, call the real convert if you want to avoid suspicion
- Make it executable
chmod +x ./convert
- When the user triggers the function, your script runs instead! Now /tmp/attacker.txt contains information about the user's privileges.
Here’s a (simplified) version akin to what Qt did internally
// If not an absolute path, look for the program
// for (const QString& dir : path.split(':'))
// if (QFile::exists(dir + "/" + program))
// return dir + "/" + program;
// Oops! Also try cwd as a last resort IF still not found!
if (QFile::exists(QDir::current().filePath(program)))
return QDir::current().filePath(program);
Instead of just failing when the program isn’t in PATH, it tries the current working directory—which is exactly what we don’t want.
Applications that let users control the working directory.
- Application run as other users (think SUID/SGID).
Environments with untrusted files or users.
If your app runs as root and an unprivileged user drops an executable into the program's working directory, that file could run with root privileges.
6.2.4 or newer on 6.x
Or, as a mitigation in your code, always use absolute paths in QProcess calls, or carefully sanitize the working directory before running external commands.
Defensive Snippet
QString program = "/usr/bin/convert"; // explicit path
QProcess process;
process.start(program, arguments);
Disable current directory searching (safe behavior)
(From Qt 5.15.9+, this is the default, but check your Qt version!)
References & More Info
- The Official Qt Security Advisory
- NIST NVD page for CVE-2022-25255
- Qt Patch Diff on GitHub
Conclusion
CVE-2022-25255 is a great reminder that even simple mistakes—like searching the working directory for missing binaries—can have serious impacts for app security. If you’re using Qt 5.9.x through 5.15.x before 5.15.9, or 6.x before 6.2.4, make sure you update. Always use explicit, absolute paths to system binaries, and treat your current directory as untrusted in all code that runs external commands.
Timeline
Published on: 02/16/2022 19:15:00 UTC
Last modified on: 02/28/2022 16:18:00 UTC