CVE-2025-48060

AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)

Severity Score

7.7

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

A flaw was found in jq, a command line JSON processor. A specially crafted input can cause a heap-based buffer over-read when formatting an empty string because it was not properly null-terminated, causing a crash and resulting in a denial of service.

It was discovered that jq incorrectly handled certain values when parsing JSON data. A remote attacker could possibly use this issue to cause jq to crash, resulting in a denial of service. It was discovered that jq incorrectly handled NaN values when parsing JSON data. A remote attacker could possibly use this issue to cause jq to crash, resulting in a denial of service. This issue only affected Ubuntu 24.04 LTS, and Ubuntu 25.04.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

None

Integrity

None

Availability

High

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-05-15 CVE Reserved
2025-05-21 CVE Published
2025-05-21 CVE Updated
2025-07-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-121: Stack-based Buffer Overflow
CWE-126: Buffer Over-read

CAPEC

References (3)

URL	Tag	Source
https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-48060	2025-08-05
https://bugzilla.redhat.com/show_bug.cgi?id=2367842	2025-08-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jqlang Search vendor "Jqlang"		Jq Search vendor "Jqlang" for product "Jq"				<= 1.7.1 Search vendor "Jqlang" for product "Jq" and version " <= 1.7.1"		en		Affected