CVE-2025-48060

NameCVE-2025-48060
Descriptionjq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1106288

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jq (PTS)bookworm, bullseye1.6-2.1vulnerable
trixie1.7.1-5vulnerable
sid1.7.1-6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jqsource(unstable)(unfixed)1106288

Notes

https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w
Search for package or bug name: Reporting problems