{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49014", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-29T16:34:07.176Z", "datePublished": "2025-06-19T15:08:04.875Z", "dateUpdated": "2025-06-23T17:38:15.404Z"}, "containers": {"cna": {"title": "jq heap use after free vulnerability in f_strflocaltime", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2"}, {"name": "https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e"}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": "= 1.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-19T15:08:04.875Z"}, "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication."}], "source": {"advisory": "GHSA-rmjp-cr27-wpg2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-23T17:38:03.621904Z", "id": "CVE-2025-49014", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-23T17:38:15.404Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49014", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-23T17:38:03.621904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-23T17:38:11.126Z"}}], "cna": {"title": "jq heap use after free vulnerability in f_strflocaltime", "source": {"advisory": "GHSA-rmjp-cr27-wpg2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"status": "affected", "version": "= 1.8.0"}]}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2", "name": "https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e", "name": "https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-19T15:08:04.875Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49014", "state": "PUBLISHED", "dateUpdated": "2025-06-23T17:38:15.404Z", "dateReserved": "2025-05-29T16:34:07.176Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-19T15:08:04.875Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication."}, {"lang": "es", "value": "jq es un procesador JSON de l\u00ednea de comandos. En la versi\u00f3n 1.8.0 existe una vulnerabilidad de heap use after free en la funci\u00f3n f_strflocaltime de /src/builtin.c. Este problema se ha corregido en el commit 499c91b; no se conoce ninguna versi\u00f3n al momento de la publicaci\u00f3n. "}], "id": "CVE-2025-49014", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-19T15:15:20.650", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e"}, {"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jq: jq Heap Use-After-Free Vulnerability", "id": "2373892", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373892"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-416", "details": ["jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.", "A flaw was found in jq. The `f_strflocaltime` function in `builtin.c` contains a heap use-after-free vulnerability, which can allow a local attacker to trigger a crash by providing a specially crafted input. This condition arises from the use of freed memory, leading to unpredictable program behavior. The vulnerability can directly result in an application level denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-49014", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "jq", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:trusted_application_pipeline:1", "fix_state": "Not affected", "package_name": "rhtap-cli/rhtap-cli-rhel9", "product_name": "Red Hat Trusted Application Pipeline"}], "public_date": "2025-06-19T15:08:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-49014\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-49014\nhttps://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e\nhttps://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2"], "threat_severity": "Moderate"}

{"created": "2025-06-20T13:24:21.515848+00:00", "updated": "2025-06-20T13:24:21.515931+00:00", "vendors": ["jqlang", "jqlang$PRODUCT$jq"]}