Heap Use After Free Vulnerability in jq Command-Line JSON Processor
CVE-2025-49014

5.5MEDIUM

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 19 June 2025

What is CVE-2025-49014?

A heap use after free vulnerability exists in jq, a command-line JSON processor, specifically in version 1.8.0 affecting the function f_strflocaltime located in /src/builtin.c. This flaw may allow attackers to manipulate memory, potentially leading to arbitrary code execution or application crashes. As of publication, no fixed version has been released, although the issue has been acknowledged in commit 499c91b. Users are advised to remain vigilant and apply any available updates.

Affected Version(s)

jq = 1.8.0

References

https://github.com/jqlang/jq/security/advisories/GHSA-rmj...

x_refsource_CONFIRM

https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc...

x_refsource_MISC

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jun 19, 2025
Vulnerability Reserved
May 29, 2025

JSON

Jqlang

What is CVE-2025-49014?

Affected Version(s)

References

CVSS V4

Timeline