CVE-2025-48060

AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)

Published: 5/21/2025 Last updated: 11/3/2025 Reserved: 5/15/2025

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	7.7	High	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Opam packages affected (2)

conf-jq travis-opam

Products affected (2)

Product	Vendor	Version
jq	jqlang	7.4.2
jq	jqlang	< 1dbc6a1e25be8575d6c4114d1d2b841a796507f7

References (6)

https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w
https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w
https://lists.debian.org/debian-lts-announce/2025/09/msg00022.html
https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w
https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w
https://lists.debian.org/debian-lts-announce/2025/09/msg00022.html