CVE-2025-49014: 
jq vulnerability analysis and mitigation

CVE-2025-49014 affects jq, a command-line JSON processor. The vulnerability was discovered in version 1.8.0, where a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. The issue was identified and disclosed on June 18, 2025, and has been patched in commit 499c91b, though no official fixed version has been released at the time of publication (GitHub Advisory).

The vulnerability is classified as a heap use-after-free issue in the f_strflocaltime function within the src/builtin.c file. The CVSS 4.0 score is 5.5 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P. The issue occurs when handling empty string inputs in the strflocaltime function, leading to potential memory corruption (NVD).

The vulnerability allows for heap memory access after it has been freed, which could potentially lead to program crashes or memory corruption. The severity is rated as Medium, indicating that while the vulnerability presents a security risk, its impact is somewhat limited (GitHub Advisory).

A patch has been developed and committed (commit 499c91b) that addresses the vulnerability by properly handling empty string cases in the f_strflocaltime function. However, as no official fixed version has been released, users are advised to monitor for updates (GitHub Commit).