{"id":"UBUNTU-CVE-2025-49014","details":"jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.","modified":"2025-07-16T05:26:27Z","published":"2025-06-19T15:15:00Z","withdrawn":"2025-07-18T17:05:07Z","upstream":["CVE-2025-49014"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-49014"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-49014"},{"type":"REPORT","url":"https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2"}],"affected":[{"package":{"name":"jq","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/jq@1.6-2.1ubuntu3?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6-2.1ubuntu3"}]}],"versions":["1.6-2.1ubuntu2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"jq","binary_version":"1.6-2.1ubuntu3"},{"binary_name":"jq-dbgsym","binary_version":"1.6-2.1ubuntu3"},{"binary_name":"libjq-dev","binary_version":"1.6-2.1ubuntu3"},{"binary_name":"libjq1","binary_version":"1.6-2.1ubuntu3"},{"binary_name":"libjq1-dbgsym","binary_version":"1.6-2.1ubuntu3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-49014.json"}},{"package":{"name":"jq","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/jq@1.7.1-3build1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.1-3build1"}]}],"versions":["1.6-3","1.7-1","1.7.1-2","1.7.1-3"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"jq","binary_version":"1.7.1-3build1"},{"binary_name":"jq-dbgsym","binary_version":"1.7.1-3build1"},{"binary_name":"libjq-dev","binary_version":"1.7.1-3build1"},{"binary_name":"libjq1","binary_version":"1.7.1-3build1"},{"binary_name":"libjq1-dbgsym","binary_version":"1.7.1-3build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-49014.json"}},{"package":{"name":"jq","ecosystem":"Ubuntu:25.04","purl":"pkg:deb/ubuntu/jq@1.7.1-3ubuntu1?arch=source&distro=plucky"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.1-3ubuntu1"}]}],"versions":["1.7.1-3build1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"jq","binary_version":"1.7.1-3ubuntu1"},{"binary_name":"jq-dbgsym","binary_version":"1.7.1-3ubuntu1"},{"binary_name":"libjq-dev","binary_version":"1.7.1-3ubuntu1"},{"binary_name":"libjq1","binary_version":"1.7.1-3ubuntu1"},{"binary_name":"libjq1-dbgsym","binary_version":"1.7.1-3ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-49014.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"type":"Ubuntu","score":"medium"}]}