CVE-2025-49014: 
Wolfi vulnerability analysis and mitigation

CVE-2025-49014 affects jq, a command-line JSON processor. The vulnerability was discovered in version 1.8.0 and disclosed on June 18, 2025. The issue involves a heap use-after-free vulnerability within the function f_strflocaltime of /src/builtin.c. While a patch has been developed in commit 499c91b, no official fixed version exists at the time of publication (GitHub Advisory, NVD).

The vulnerability is classified as a heap use-after-free issue occurring specifically in the f_strflocaltime function within the src/builtin.c file. The CVSS 4.0 score is 5.5 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P. The issue manifests when handling empty string inputs in the strflocaltime function, which can lead to potential memory corruption (Wiz).

The vulnerability allows for heap memory access after it has been freed, which could potentially lead to program crashes or memory corruption. The severity is rated as Medium, indicating that while the vulnerability presents a security risk, its impact is somewhat limited (GitHub Advisory).

A patch has been developed and committed (commit 499c91b) that addresses the vulnerability by properly handling empty string cases in the f_strflocaltime function. However, as no official fixed version has been released, users are advised to monitor for updates (GitHub Commit).