CVE-2025-9403
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-08-25
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9403
EUVD
EUVD-2025-25716
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jqlang jq to 1.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9403 is an assertion failure vulnerability in the jq JSON processor, specifically in the run_jq_tests function of the jq_test.c file. It occurs when the jq test suite processes malformed JSON input containing invalid Unicode escape sequences. The test suite attempts to verify that the expected JSON value matches the reparsed JSON value, but due to inconsistencies in handling these invalid sequences, the assertion comparing these values fails. This causes the program to abort with a SIGABRT signal, leading to a crash. Exploitation requires local access and involves triggering this assertion failure with crafted malformed JSON input. [1, 2, 3]

Impact Analysis

This vulnerability can cause the jq program to crash unexpectedly due to an assertion failure when processing malformed JSON input with invalid Unicode escape sequences. The impact is primarily on availability, as the program aborts and terminates, potentially disrupting workflows or automated processes relying on jq. Since exploitation requires local access and the vulnerability affects the internal test suite, the risk is limited but can still cause denial of service on affected systems. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by running the jq test suite with a specially crafted malformed JSON file containing invalid Unicode escape sequences that trigger the assertion failure. A proof-of-concept file named 'POC_jq_assertion_failure_test_suite_parsing' can be used. The detection command is: jq -c --compact-output --library-path %s%d%x --debug-trace=all --run-tests .POC_jq_assertion_failure_test_suite_parsing If the vulnerability is present, jq will abort with an assertion failure and a SIGABRT signal. [2, 3]

Mitigation Strategies

No known mitigations or countermeasures exist for this vulnerability. The suggested immediate step is to replace the affected jq version (up to 1.6) with an alternative JSON processor or a fixed version once available. Avoid running jq with untrusted malformed JSON inputs in the meantime. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9403. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart