CVE-2025-49014
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-06-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap use-after-free issue in the jq tool version 1.8.0, specifically in the function f_strflocaltime within src/builtin.c. It occurs when the program accesses a format string after it has been freed, leading to unsafe behavior and potential crashes. The problem arises from improper handling of the format string in date/time formatting functions, which was fixed by ensuring the format string is checked safely before use to avoid dereferencing freed memory. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause jq to exhibit undefined behavior such as crashes or memory corruption when processing certain date/time format strings. While the severity is rated as low, exploitation could lead to denial of service or instability in applications relying on jq for JSON processing, potentially disrupting workflows or automated systems that depend on jq. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running fuzz testing with AddressSanitizer (ASAN) enabled on the jq binary, using build flags such as --disable-shared --with-oniguruma=builtin and compiler flags -fsanitize=address and -fsanitize-address-use-after-scope. A proof-of-concept command to trigger the issue is: ./jq -nf ./heap-use-after-free.jq. Monitoring ASAN output for use-after-free errors in f_strflocaltime can confirm the presence of the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the patch introduced in commit 499c91b, which fixes the use-after-free issue in the f_strflocaltime function by safely handling empty format strings. Since no fixed version is available at the time of publication, manually applying this patch or avoiding use of vulnerable jq version 1.8.0 until a patched release is available is recommended. [1]