Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-48060

Опубликовано: 21 мая 2025
Источник: redhat
CVSS3: 5.5

Описание

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function jv_string_vfmt in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 void* p = malloc(sz);. As of time of publication, no patched versions are available.

A flaw was found in jq, a command line JSON processor. A specially crafted input can cause a heap-based buffer over-read when formatting an empty string because it was not properly null-terminated, causing a crash and resulting in a denial of service.

Отчет

To exploit this flaw, an attacker needs to trick a user into processing a specially crafted JSON input, allowing an attacker to trigger a buffer over-read of 2 bytes and cause a crash in jq with no other security impact. Due to these reasons, this flaw has been rated with a Moderate severity.

Меры по смягчению последствий

Do not process untrusted input with the jq command line JSON processor.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2automation-controllerAffected
Red Hat Ceph Storage 4jqFix deferred
Red Hat Enterprise Linux 10jqAffected
Red Hat Enterprise Linux 8jqAffected
Red Hat Enterprise Linux 9jqAffected
Red Hat OpenShift Container Platform 4rhcosFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-126
https://bugzilla.redhat.com/show_bug.cgi?id=2367842jq: AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)

5.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-48060

ubuntu
28 дней назад

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

nvd логотип

CVE-2025-48060

nvd
28 дней назад

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

debian логотип

CVE-2025-48060

debian
28 дней назад

jq is a command-line JSON processor. In versions up to and including 1 ...

fstec логотип

BDU:2025-06686

CVSS3: 7.5
fstec
29 дней назад

Уязвимость функции jv_string_vfmt функционального языка программирования jq, позволяющая нарушителю вызвать отказ в обслуживании

5.5 Medium

CVSS3