CVE-2025-9403
published 2025-08-25CVE-2025-9403: A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing…
PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.19%
9.3th percentile
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jq | — | — |
| jqlang | jq | <= 1.6 | — |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| msrc | cbl2_jq_1.6-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_jq_1.6-5_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.01.9LOWCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.01.7LOWAV:L/AC:L/Au:S/C:N/I:N/A:P
osv4.8MEDIUM
vendor_debian4.8LOW
vendor_redhat4.8MEDIUM
vendor_msrc3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: assertion failure in run_jq_tests() of the file jq_test.c
vendor_redhat·2025-08-25·CVSS 4.8
CVE-2025-9403 [MEDIUM] CWE-617 jq: assertion failure in run_jq_tests() of the file jq_test.c
jq: assertion failure in run_jq_tests() of the file jq_test.c
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
A vulnerability has been identified in the jq JSON processor where malformed JSON input containing invalid Unicode escape sequences can trigger an assertion failure in the test suite’s parsing consistency checks. This flaw arises from inconsistencies between expected and reparsed JSON values during serialization and deserialization, potentially allowing an attacker to exploit the issue by supply
Microsoft
jqlang jq JSON jq_test.c run_jq_tests assertion
vendor_msrc·2025-08-12·CVSS 3.3
CVE-2025-9403 [MEDIUM] CWE-617 jqlang jq JSON jq_test.c run_jq_tests assertion
jqlang jq JSON jq_test.c run_jq_tests assertion
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
VulDB: VulDB
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microso
Debian
CVE-2025-9403: jq - A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function ...
vendor_debian·2025·CVSS 4.8
CVE-2025-9403 [MEDIUM] CVE-2025-9403: jq - A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function ...
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
OSV
CVE-2025-9403: A vulnerability was determined in jqlang jq up to 1
osv·2025-08-25·CVSS 4.8
CVE-2025-9403 [MEDIUM] CVE-2025-9403: A vulnerability was determined in jqlang jq up to 1
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
GHSA
GHSA-45r2-rx5v-q5f6: A vulnerability was determined in jqlang jq up to 1
ghsa_unreviewed·2025-08-25
CVE-2025-9403 [MEDIUM] CWE-617 GHSA-45r2-rx5v-q5f6: A vulnerability was determined in jqlang jq up to 1
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-9403 jq: assertion failure in run_jq_tests() of the file jq_test.c [fedora-42]
bugzilla·2025-08-26·CVSS 1.9
CVE-2025-9403 [LOW] CVE-2025-9403 jq: assertion failure in run_jq_tests() of the file jq_test.c [fedora-42]
CVE-2025-9403 jq: assertion failure in run_jq_tests() of the file jq_test.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug
Bugzilla
CVE-2025-9403 jq: assertion failure in run_jq_tests() of the file jq_test.c
bugzilla·2025-08-25·CVSS 4.8
CVE-2025-9403 [MEDIUM] CVE-2025-9403 jq: assertion failure in run_jq_tests() of the file jq_test.c
CVE-2025-9403 jq: assertion failure in run_jq_tests() of the file jq_test.c
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
2025-08-25
Published