CVE-2025-49014 Overview
CVE-2025-49014 is a heap use after free vulnerability in jq, a lightweight and flexible command-line JSON processor widely used in scripting and automation pipelines. The vulnerability exists within the f_strflocaltime function in /src/builtin.c and affects version 1.8.0 of the software.
Critical Impact
This use after free vulnerability could allow an attacker to cause denial of service conditions through memory corruption when processing crafted JSON input with datetime formatting operations.
Affected Products
- jq version 1.8.0
- Systems using jq 1.8.0 for JSON processing in automation pipelines
- Scripts and applications dependent on jq 1.8.0 datetime formatting functions
Discovery Timeline
- 2025-06-19 - CVE-2025-49014 published to NVD
- 2025-06-23 - Last updated in NVD database
Technical Details for CVE-2025-49014
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption flaw that occurs when a program continues to reference memory after it has been freed. In the context of jq version 1.8.0, the vulnerability manifests in the f_strflocaltime function responsible for formatting datetime values according to specified format strings.
The use after free condition can lead to unpredictable behavior including application crashes and potential memory corruption. When exploited, this could result in denial of service for applications and scripts that rely on jq for JSON processing workflows.
Root Cause
The root cause lies in improper memory handling within the f_strflocaltime function in /src/builtin.c. The function fails to properly validate the format string before memory operations occur, leading to a condition where freed heap memory may be accessed. The fix introduces validation to check if the format string is empty before proceeding with memory allocation and strftime operations.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker could exploit this vulnerability by providing specially crafted JSON input containing datetime values that trigger the vulnerable strflocaltime function with malicious format strings. This is particularly relevant in scenarios where jq processes untrusted JSON data from external sources.
// Security patch for CVE-2025-49014 in src/builtin.c
return ret_error(b, jv_string("strftime/1 requires parsed datetime inputs"));
const char *fmt = jv_string_value(b);
+ int fmt_not_empty = *fmt != '\0';
size_t max_size = strlen(fmt) + 100;
char *buf = jv_mem_alloc(max_size);
#ifdef __APPLE__
Source: GitHub Commit 499c91b
Detection Methods for CVE-2025-49014
Indicators of Compromise
- Unexpected jq process crashes during JSON datetime formatting operations
- Segmentation faults or memory access violations in jq processes
- Abnormal memory usage patterns when processing JSON with strflocaltime functions
- Application logs showing memory-related errors from jq operations
Detection Strategies
- Monitor for jq process crashes or unexpected terminations in production environments
- Implement input validation for JSON data before passing to jq for processing
- Use memory sanitizers (ASan, MSan) in development environments to detect use after free conditions
- Review logs for patterns of repeated jq failures when processing datetime fields
Monitoring Recommendations
- Enable core dump collection for jq processes to facilitate crash analysis
- Implement alerting on abnormal jq process exit codes in automation pipelines
- Monitor system memory allocation patterns for applications using jq extensively
- Track jq version deployments across infrastructure to identify vulnerable installations
How to Mitigate CVE-2025-49014
Immediate Actions Required
- Identify all systems running jq version 1.8.0 and prioritize for remediation
- Apply the security patch from commit 499c91b or upgrade when a fixed release is available
- Implement input validation to filter potentially malicious datetime format strings
- Consider temporarily avoiding strflocaltime operations on untrusted input until patched
Patch Information
The vulnerability has been addressed in commit 499c91bca9d4d027833bc62787d1bb075c03680e. At the time of publication, no official release version containing the fix was available. Organizations should either apply the patch manually by building from source or monitor for an upcoming release that incorporates this fix.
For detailed patch information, refer to the GitHub Security Advisory GHSA-rmjp-cr27-wpg2 and the GitHub Commit.
Workarounds
- Validate and sanitize all format strings passed to jq datetime functions before processing
- Avoid using strflocaltime on untrusted or external JSON input until the patch is applied
- Implement sandboxing or containerization for jq processes handling untrusted data
- Consider using alternative datetime formatting methods that do not rely on the vulnerable function
# Check jq version to identify vulnerable installations
jq --version
# Build jq from source with the security patch applied
git clone https://github.com/jqlang/jq.git
cd jq
git checkout 499c91bca9d4d027833bc62787d1bb075c03680e
autoreconf -i
./configure
make
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
