CVE-2025-48060 in jq
Summary
by MITRE • 05/21/2025
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/05/2025
The vulnerability identified as CVE-2025-48060 represents a critical heap-buffer-overflow condition within the jq command-line JSON processor library. This issue affects versions up to and including 1.7.1, making it a significant concern for any system utilizing this tool for JSON processing operations. The vulnerability manifests within the jv_string_vfmt function, which is part of the core JSON value handling mechanisms in jq. The specific crash occurs at line 1456 in the jv.c source file where a memory allocation operation malloc(sz) is performed without adequate bounds checking or input validation.
The technical flaw stems from improper memory management during string formatting operations within jq's JSON value processing pipeline. When the jv_string_vfmt function processes formatted strings, it calculates a buffer size sz based on input parameters that may not be properly validated or constrained. This leads to a situation where malloc allocates insufficient memory for the intended operation, creating a heap-buffer-overflow condition that can be exploited by malicious actors. The vulnerability is particularly concerning as it originates from the fuzzing harness used in oss-fuzz, indicating that it was discovered through automated testing methodologies that are commonly employed to identify security issues in open-source software.
The operational impact of this vulnerability extends beyond simple denial-of-service conditions. A successful exploitation could potentially allow attackers to execute arbitrary code on systems running vulnerable versions of jq, given that heap overflows often provide pathways for more sophisticated attacks. The fact that no patched versions are available at the time of publication creates an immediate security risk for organizations that rely on jq for data processing tasks, particularly in environments where JSON parsing is frequent. This vulnerability affects systems across multiple platforms where jq is installed, including Unix-like systems, Linux distributions, and potentially Windows environments where jq is compiled and executed.
Security practitioners should consider this vulnerability in the context of the CWE-122 weakness category, which specifically addresses heap-based buffer overflow conditions. The ATT&CK framework would classify this vulnerability under the T1059.007 technique for command and scripting interpreter, as jq is commonly used in shell scripting environments where such vulnerabilities could be leveraged for privilege escalation. Organizations should immediately implement mitigations such as restricting access to jq functionality, validating all JSON inputs through alternative means, and monitoring for unusual memory allocation patterns that might indicate exploitation attempts. The vulnerability underscores the importance of maintaining up-to-date software versions and implementing robust input validation mechanisms in all JSON processing applications.