CVE-2025-9403: 
NixOS vulnerability analysis and mitigation

A vulnerability has been identified in jqlang jq versions up to 1.6 (CVE-2025-9403). The issue affects the function run_jq_tests in the file jq_test.c of the JSON Parser component. The vulnerability was discovered on August 24, 2025, and involves a reachable assertion condition that can be triggered through local access (NVD, VulDB).

The vulnerability is classified as CWE-617 (Reachable Assertion) and has received a CVSS v4.0 base score of 4.8 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. The CVSS v3.1 base score is 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The vulnerability requires local access and low attack complexity to exploit (NVD).

Successful exploitation of this vulnerability can lead to a reachable assertion condition, potentially causing availability issues in the affected system. The impact is primarily limited to availability (Low), with no direct effect on confidentiality or integrity (VulDB).

Currently, there is no official fix available for this vulnerability. Users are advised to restrict access to the affected systems to authorized and trusted personnel only (GitHub Issue).