CVE-2025-49014 in jqlanginfo

Summary

by MITRE • 06/19/2025

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/24/2025

The vulnerability CVE-2025-49014 represents a critical heap use after free flaw in the jq command-line JSON processor version 1.8.0. This security issue resides within the f_strflocaltime function located in the /src/builtin.c source file, making it a fundamental component of the application's processing pipeline. The vulnerability arises from improper memory management during the handling of timestamp formatting operations, where freed memory blocks are accessed after being deallocated from the heap. This type of vulnerability falls under CWE-416, which specifically addresses Use After Free conditions in software development. The flaw demonstrates how seemingly routine date and time formatting operations can introduce dangerous memory access patterns that adversaries can exploit to compromise system integrity.

The operational impact of this vulnerability extends beyond simple memory corruption, as it creates potential vectors for remote code execution and arbitrary code execution within the context of the jq process. When the f_strflocaltime function processes timestamp data, it manipulates memory structures that may be freed prematurely, allowing attackers to craft malicious JSON inputs that trigger the use after free condition. The vulnerability affects the core functionality of jq, which is widely used for processing and transforming JSON data in automation scripts, configuration management, and data processing pipelines. Attackers could leverage this flaw by providing specially crafted JSON input containing malformed timestamp data that would cause the application to access freed memory blocks, potentially leading to heap corruption and system compromise. This vulnerability directly aligns with ATT&CK technique T1059.006 for Command and Scripting Interpreter, as it enables adversaries to execute malicious code through compromised jq processing environments.

Mitigation strategies for CVE-2025-49014 should prioritize immediate patching of affected systems, as no official fix version has been released at the time of publication. Organizations should implement network segmentation and access controls to limit exposure of systems running jq, particularly in environments where untrusted JSON data is processed. Input validation and sanitization should be enforced at all levels of jq usage, with strict restrictions on timestamp formatting operations and date/time data handling. Security monitoring should focus on detecting unusual memory access patterns and potential exploitation attempts through malformed JSON inputs. System administrators should consider implementing application whitelisting policies that restrict jq execution to trusted environments and monitored processes. The vulnerability highlights the importance of proper memory management practices in C-based applications and underscores the need for regular security audits of core system utilities. Additionally, organizations should implement continuous monitoring for emerging patches and updates from the jq development team, as this vulnerability demonstrates how even well-established tools can contain critical memory safety issues that require immediate attention.

Responsible

GitHub M

Reservation

05/29/2025

Disclosure

06/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00321

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!