{"id":"AZL-61974","summary":"CVE-2025-48060 affecting package jq for versions less than 1.6-4","details":"jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.","modified":"2026-04-21T04:31:53.092135Z","published":"2025-05-21T18:15:53Z","upstream":["CVE-2025-48060"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48060"}],"affected":[{"package":{"name":"jq","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/jq"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6-4"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61974.json"}}],"schema_version":"1.7.5"}