Medium severityOSV Advisory· Published Jun 19, 2025· Updated Apr 15, 2026

CVE-2025-49014

Description

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

Affected products

Jqlang/JqOSV
Range: 1.6rc2, jq-1.0, jq-1.1, …

Patches

499c91bca9d4

https://github.com/jqlang/jqvia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680envd
github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000