CVE-2025-49014

CVE-2025-49014

Name

CVE-2025-49014

Description

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e
CONFIRM	https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2

Type

URI

MISC

https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e

CONFIRM

https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2

CPE URI	Source package	Min version	Max version
	jq	>= 0	== 1.8.0

CPE URI

Source package

Min version

Max version

>= 0

== 1.8.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
jq	edge-main	1.8.1-r0	Patrycja Rosa <alpine@ptrcnull.me>	fixed
jq	edge-main	1.8.0-r0	Patrycja Rosa <alpine@ptrcnull.me>	possibly vulnerable
jq	3.23-main	1.8.1-r0	Patrycja Rosa <alpine@ptrcnull.me>	fixed
jq	3.22-main	1.8.1-r0	Patrycja Rosa <alpine@ptrcnull.me>	fixed
jq	3.22-main	1.8.0-r0	Patrycja Rosa <alpine@ptrcnull.me>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

edge-main

1.8.1-r0

Patrycja Rosa <alpine@ptrcnull.me>

fixed

edge-main

1.8.0-r0

Patrycja Rosa <alpine@ptrcnull.me>