CVE-2025-49014
published 2025-06-19CVE-2025-49014: jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This…
PriorityP430medium5.5CVSS 4.0
AVNACLATNPRNUINVCNVINVALSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
23.8th percentile
jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jq | < jq 1.8.1-1 (forky) | jq 1.8.1-1 (forky) |
| jqlang | jq | — | — |
| jqlang | jq | >= 0 < 1.8.1-1 | 1.8.1-1 |
| msrc | azl3_jq_1.7.1-4_on_azure_linux_3.0 | — | — |
| msrc | cbl2_jq_1.6-5_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: jq Heap Use-After-Free Vulnerability
vendor_redhat·2025-06-19·CVSS 5.5
CVE-2025-49014 [MEDIUM] CWE-416 jq: jq Heap Use-After-Free Vulnerability
jq: jq Heap Use-After-Free Vulnerability
jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.
A flaw was found in jq. The `f_strflocaltime` function in `builtin.c` contains a heap use-after-free vulnerability, which can allow a local attacker to trigger a crash by providing a specially crafted input. This condition arises from the use of freed memory, leading to unpredictable program behavior. The vulnerability can directly result in an application level denial of service.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat
Microsoft
jq heap use after free vulnerability in f_strflocaltime
vendor_msrc·2025-06-10·CVSS 5.5
CVE-2025-49014 [MEDIUM] CWE-416 jq heap use after free vulnerability in f_strflocaltime
jq heap use after free vulnerability in f_strflocaltime
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2025-49014: jq - jq is a command-line JSON processor. In version 1.8.0 a heap use after free vuln...
vendor_debian·2025·CVSS 5.5
CVE-2025-49014 [MEDIUM] CVE-2025-49014: jq - jq is a command-line JSON processor. In version 1.8.0 a heap use after free vuln...
jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 1.8.1-1)
sid: resolved (fixed in 1.8.1-1)
trixie: resolved
OSV
CVE-2025-49014: jq is a command-line JSON processor
osv·2025-06-19·CVSS 5.5
CVE-2025-49014 [MEDIUM] CVE-2025-49014: jq is a command-line JSON processor
jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.
No detection rules found.
No public exploits indexed.
2025-06-19
Published