CVE-2025-49014Use After Free in JQ

CWE-416Use After Free6 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.4%
top 40.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jqlang JQ
Timeline
PublishedJun 19

Description

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

Debianjqlang/jq< 1.8.1-1
CVEListV5jqlang/jq= 1.8.0

🔴Vulnerability Details

2
CVEList
jq heap use after free vulnerability in f_strflocaltime2025-06-19
OSV
CVE-2025-49014: jq is a command-line JSON processor2025-06-19

📋Vendor Advisories

3
Red Hat
jq: jq Heap Use-After-Free Vulnerability2025-06-19
Microsoft
jq heap use after free vulnerability in f_strflocaltime2025-06-10
Debian
CVE-2025-49014: jq - jq is a command-line JSON processor. In version 1.8.0 a heap use after free vuln...2025
CVE-2025-49014 — Use After Free in Jqlang JQ | cvebase