CVE-2025-48060

HIGH

jqlang/jq <= 1.7.1 - Heap-based Buffer Overflow in jv_string_vfmt

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-48060. PoCs published by leorivass.

AI-analyzed exploit summary This repository provides a backported patch for CVE-2025-48060, a heap buffer overflow vulnerability in jq 1.6's `jv_string_empty` function. It includes detailed instructions for applying the patch and verifying the fix via regression tests.

Description

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

Exploits (1)

nomisec WRITEUP 1 stars
by leorivass · poc
https://github.com/leorivass/jq-els-backport-cve-2025-48060

This repository provides a backported patch for CVE-2025-48060, a heap buffer overflow vulnerability in jq 1.6's `jv_string_empty` function. It includes detailed instructions for applying the patch and verifying the fix via regression tests.

Classification
Writeup 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: jq 1.6
No auth needed
Prerequisites: Access to jq 1.6 source code · Build tools (autoreconf, make, etc.)
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.0044
EPSS Percentile 35.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-121 CWE-787
Status published
Products (1)
jqlang/jq < 1.7.1
Published May 21, 2025
Tracked Since Feb 18, 2026