CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49014 – jq heap use after free vulnerability in f_strflocaltime
https://notcve.org/view.php?id=CVE-2025-49014
19 Jun 2025 — jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication. These are all security issues fixed in the jq-1.8.1-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48060 – AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)
https://notcve.org/view.php?id=CVE-2025-48060
21 May 2025 — jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available. A flaw was found in jq, a command line JSON processor. • https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w • CWE-121: Stack-based Buffer Overflow CWE-126: Buffer Over-read •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23337 – jq has signed integer overflow in jv.c:jvp_array_write
https://notcve.org/view.php?id=CVE-2024-23337
21 May 2025 — jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue. A flaw was found in jq, a command line JSON processor. • https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46 • CWE-125: Out-of-bounds Read CWE-190: Integer Overflow or Wraparound •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53427 – openSUSE Security Advisory - openSUSE-SU-2025:15161-1
https://notcve.org/view.php?id=CVE-2024-53427
26 Feb 2025 — jq v1.7.1 contains a stack-buffer-overflow in the decNumberCopy function within decNumber.c. decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits). It was discovered that jq incorrectl... • https://github.com/jqlang/jq/issues/3196 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50268 – jq has stack-based buffer overflow in decNaNs
https://notcve.org/view.php?id=CVE-2023-50268
13 Dec 2023 — jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue. jq es un procesador JSON de línea de comandos. La versión 1.7 es vulnerable al desbordamiento del búfer basado en pila en compilaciones que utilizan decNumber. La versión 1.7.1 contiene un parche para este problema. • http://www.openwall.com/lists/oss-security/2023/12/15/10 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50246 – jq has heap-buffer-overflow vulnerability in the function decToString in decNumber.c
https://notcve.org/view.php?id=CVE-2023-50246
13 Dec 2023 — jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue. jq es un procesador JSON de línea de comandos. La versión 1.7 es vulnerable al desbordamiento de búfer de almacenamiento dinámico. La versión 1.7.1 contiene un parche para este problema. • http://www.openwall.com/lists/oss-security/2023/12/15/10 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49355
https://notcve.org/view.php?id=CVE-2023-49355
11 Dec 2023 — decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation. decToString en decNumber/decNumber.c en jq 88f01a7 tiene una escritura fuera de los límites de un byte a través de la entrada "[]-1.2e-1111111111". • https://github.com/jqlang/jq/blob/88f01a741c8d63c4d1b5bc3ef61520c6eb93edaa/src/decNumber/decNumber.c#L3764 • CWE-787: Out-of-bounds Write •