CVE-2025-48060 Overview
CVE-2025-48060 is a heap-buffer-overflow vulnerability affecting jq, a popular command-line JSON processor. The vulnerability exists in versions up to and including 1.7.1, specifically in the jv_string_vfmt function within the jv.c source file at line 1456. This memory corruption flaw was discovered through the OSS-Fuzz project's jq_fuzz_execute harness, highlighting the importance of continuous fuzzing in identifying security vulnerabilities in widely-used software components.
Critical Impact
This heap-buffer-overflow vulnerability can be exploited remotely without authentication, potentially causing denial of service conditions in systems and applications that rely on jq for JSON processing.
Affected Products
- jqlang jq versions up to and including 1.7.1
- All applications and systems utilizing vulnerable jq binaries for JSON processing
- Container images and Linux distributions packaging vulnerable jq versions
Discovery Timeline
- 2025-05-21 - CVE-2025-48060 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-48060
Vulnerability Analysis
This vulnerability represents a classic heap-buffer-overflow (CWE-787: Out-of-bounds Write, CWE-121: Stack-based Buffer Overflow) that occurs during string formatting operations in jq's core JSON value handling code. The flaw manifests in the jv_string_vfmt function, which is responsible for formatting string values within jq's internal JSON representation system.
The vulnerable code path involves a memory allocation via malloc(sz) at line 1456 in jv.c, where insufficient bounds checking allows an attacker to trigger an overflow condition. When processing specially crafted JSON input or jq filter expressions, the application can write beyond the allocated heap buffer boundaries, corrupting adjacent memory regions.
The network attack vector with no authentication requirements means that any system processing untrusted JSON data through jq could be vulnerable to this attack.
Root Cause
The root cause lies in improper memory allocation size calculation within the jv_string_vfmt function. When formatting string values, the function fails to properly account for all possible input lengths, leading to an undersized heap allocation. Subsequent write operations then exceed the allocated buffer, causing heap corruption.
The vulnerability was identified through fuzzing, indicating that edge cases in string formatting logic were not adequately handled, particularly when processing malformed or adversarial input patterns.
Attack Vector
An attacker can exploit this vulnerability by supplying maliciously crafted JSON data or jq filter expressions to a system running a vulnerable version of jq. The attack can be executed remotely over the network without requiring any authentication or user interaction.
Exploitation scenarios include:
- Web applications using jq for server-side JSON transformation receiving malicious API payloads
- CI/CD pipelines processing untrusted JSON configuration files through jq
- Command-line usage where users inadvertently process malicious JSON from untrusted sources
- Automated scripts that fetch and process JSON from external endpoints
The heap-buffer-overflow condition can result in denial of service through application crashes. While the primary impact is availability disruption, heap corruption vulnerabilities can sometimes be leveraged for more severe exploitation depending on the memory layout and application context.
Detection Methods for CVE-2025-48060
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes using jq for JSON processing
- Core dumps indicating heap corruption in the jv_string_vfmt function or jv.c module
- Abnormal memory usage patterns in jq processes before crash events
- Application logs showing jq process termination with memory-related errors
Detection Strategies
- Deploy runtime application self-protection (RASP) to detect heap overflow attempts
- Implement process monitoring to alert on repeated jq crashes that may indicate exploitation attempts
- Use memory sanitizer tools (AddressSanitizer, Valgrind) in development environments to catch heap overflows
- Monitor system logs for segmentation faults and abort signals from jq processes
Monitoring Recommendations
- Configure alerting for jq process crashes and abnormal terminations across production systems
- Implement centralized logging to correlate jq-related errors that may indicate attack attempts
- Monitor for unusual JSON payload sizes or patterns in systems that process external JSON through jq
- Deploy SentinelOne agents to detect and respond to memory corruption exploitation attempts in real-time
How to Mitigate CVE-2025-48060
Immediate Actions Required
- Inventory all systems and applications using jq and identify vulnerable versions (1.7.1 and earlier)
- Implement input validation and size limits for JSON data processed by jq where possible
- Consider temporarily replacing jq with alternative JSON processing tools in critical systems
- Apply any available patches from your Linux distribution (see Debian LTS announcement)
- Restrict network access to systems that process untrusted JSON through jq
Patch Information
As of the original publication date, no official patched version was available from the upstream jqlang project. However, the Debian LTS Announcement indicates that distribution-level patches may be available. Organizations should monitor the GitHub Security Advisory for updates on official fixes and apply distribution patches as they become available.
Workarounds
- Implement strict input validation on JSON data before processing with jq to reject oversized or malformed payloads
- Run jq processes in sandboxed environments with resource limits (memory, CPU) to contain potential exploitation
- Use containerization with read-only filesystems and minimal privileges for jq processing workloads
- Consider implementing alternative JSON processing using safer languages or libraries where jq is not essential
# Configuration example: Resource limits for jq processes
# Limit memory and CPU for jq execution using systemd
# Create /etc/systemd/system/jq-processor.service.d/limits.conf
[Service]
MemoryMax=256M
CPUQuota=50%
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
