CVE-2025-49014

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

CVSS

No CVSS.

References

Link	Resource
https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e
https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2

Configurations

No configuration.

History

23 Jun 2025, 20:16

Type	Values Removed	Values Added
Summary		(es) jq es un procesador JSON de línea de comandos. En la versión 1.8.0 existe una vulnerabilidad de heap use after free en la función f_strflocaltime de /src/builtin.c. Este problema se ha corregido en el commit 499c91b; no se conoce ninguna versión al momento de la publicación.

19 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-19 15:15

Updated : 2025-06-23 20:16

NVD link : CVE-2025-49014

Mitre link : CVE-2025-49014

CVE.ORG link : CVE-2025-49014

JSON object : View

Products Affected

No product.

CWE

CWE-416

Use After Free

{"id": "CVE-2025-49014", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-19T15:15:20.650", "references": [{"url": "https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e", "source": "security-advisories@github.com"}, {"url": "https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication."}, {"lang": "es", "value": "jq es un procesador JSON de l\u00ednea de comandos. En la versi\u00f3n 1.8.0 existe una vulnerabilidad de heap use after free en la funci\u00f3n f_strflocaltime de /src/builtin.c. Este problema se ha corregido en el commit 499c91b; no se conoce ninguna versi\u00f3n al momento de la publicaci\u00f3n. "}], "lastModified": "2025-06-23T20:16:59.783", "sourceIdentifier": "security-advisories@github.com"}