Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-49014

CVE-2025-49014: jq JSON Processor Use-After-Free Flaw

CVE-2025-49014 is a heap use-after-free vulnerability in jq, a command-line JSON processor affecting version 1.8.0. This post covers the technical details, affected versions, security impact, and available mitigations.

Updated:

CVE-2025-49014 Overview

CVE-2025-49014 is a heap use after free vulnerability in jq, a lightweight and flexible command-line JSON processor widely used in scripting and automation pipelines. The vulnerability exists within the f_strflocaltime function in /src/builtin.c and affects version 1.8.0 of the software.

Critical Impact

This use after free vulnerability could allow an attacker to cause denial of service conditions through memory corruption when processing crafted JSON input with datetime formatting operations.

Affected Products

  • jq version 1.8.0
  • Systems using jq 1.8.0 for JSON processing in automation pipelines
  • Scripts and applications dependent on jq 1.8.0 datetime formatting functions

Discovery Timeline

  • 2025-06-19 - CVE-2025-49014 published to NVD
  • 2025-06-23 - Last updated in NVD database

Technical Details for CVE-2025-49014

Vulnerability Analysis

This vulnerability is classified as CWE-416 (Use After Free), a memory corruption flaw that occurs when a program continues to reference memory after it has been freed. In the context of jq version 1.8.0, the vulnerability manifests in the f_strflocaltime function responsible for formatting datetime values according to specified format strings.

The use after free condition can lead to unpredictable behavior including application crashes and potential memory corruption. When exploited, this could result in denial of service for applications and scripts that rely on jq for JSON processing workflows.

Root Cause

The root cause lies in improper memory handling within the f_strflocaltime function in /src/builtin.c. The function fails to properly validate the format string before memory operations occur, leading to a condition where freed heap memory may be accessed. The fix introduces validation to check if the format string is empty before proceeding with memory allocation and strftime operations.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker could exploit this vulnerability by providing specially crafted JSON input containing datetime values that trigger the vulnerable strflocaltime function with malicious format strings. This is particularly relevant in scenarios where jq processes untrusted JSON data from external sources.

c
// Security patch for CVE-2025-49014 in src/builtin.c
     return ret_error(b, jv_string("strftime/1 requires parsed datetime inputs"));
 
   const char *fmt = jv_string_value(b);
+  int fmt_not_empty = *fmt != '\0';
   size_t max_size = strlen(fmt) + 100;
   char *buf = jv_mem_alloc(max_size);
 #ifdef __APPLE__

Source: GitHub Commit 499c91b

Detection Methods for CVE-2025-49014

Indicators of Compromise

  • Unexpected jq process crashes during JSON datetime formatting operations
  • Segmentation faults or memory access violations in jq processes
  • Abnormal memory usage patterns when processing JSON with strflocaltime functions
  • Application logs showing memory-related errors from jq operations

Detection Strategies

  • Monitor for jq process crashes or unexpected terminations in production environments
  • Implement input validation for JSON data before passing to jq for processing
  • Use memory sanitizers (ASan, MSan) in development environments to detect use after free conditions
  • Review logs for patterns of repeated jq failures when processing datetime fields

Monitoring Recommendations

  • Enable core dump collection for jq processes to facilitate crash analysis
  • Implement alerting on abnormal jq process exit codes in automation pipelines
  • Monitor system memory allocation patterns for applications using jq extensively
  • Track jq version deployments across infrastructure to identify vulnerable installations

How to Mitigate CVE-2025-49014

Immediate Actions Required

  • Identify all systems running jq version 1.8.0 and prioritize for remediation
  • Apply the security patch from commit 499c91b or upgrade when a fixed release is available
  • Implement input validation to filter potentially malicious datetime format strings
  • Consider temporarily avoiding strflocaltime operations on untrusted input until patched

Patch Information

The vulnerability has been addressed in commit 499c91bca9d4d027833bc62787d1bb075c03680e. At the time of publication, no official release version containing the fix was available. Organizations should either apply the patch manually by building from source or monitor for an upcoming release that incorporates this fix.

For detailed patch information, refer to the GitHub Security Advisory GHSA-rmjp-cr27-wpg2 and the GitHub Commit.

Workarounds

  • Validate and sanitize all format strings passed to jq datetime functions before processing
  • Avoid using strflocaltime on untrusted or external JSON input until the patch is applied
  • Implement sandboxing or containerization for jq processes handling untrusted data
  • Consider using alternative datetime formatting methods that do not rely on the vulnerable function
bash
# Check jq version to identify vulnerable installations
jq --version

# Build jq from source with the security patch applied
git clone https://github.com/jqlang/jq.git
cd jq
git checkout 499c91bca9d4d027833bc62787d1bb075c03680e
autoreconf -i
./configure
make
sudo make install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.