CVE-2025-49014 is a medium-severity vulnerability identified in version 1.8.0 of jq, a widely used command-line JSON processor developed by the jqlang project. The vulnerability is classified as a Use After Free (CWE-416) issue located in the function f_strflocaltime within the source file /src/builtin.c. A Use After Free vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed, potentially leading to undefined behavior such as memory corruption, crashes, or arbitrary code execution. In this specific case, the flaw arises during the processing of JSON data involving local time formatting, which could be triggered by specially crafted input to the jq processor. The vulnerability has been patched in a commit identified as 499c91b; however, at the time of publication, no fixed version had been officially released. The CVSS 4.0 base score is 5.5, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P) reveals that the vulnerability is remotely exploitable over the network without requiring authentication or user interaction, with low attack complexity and limited impact confined to availability (likely causing crashes or denial of service). There is no known exploitation in the wild at the time of reporting. Given jq’s role as a JSON processor, it is commonly integrated into automation scripts, CI/CD pipelines, data processing workflows, and cloud-native environments, making it a critical component in many software stacks. Exploitation could lead to denial of service or potentially memory corruption that might be leveraged for further attacks, depending on the environment and usage context.

For European organizations, the impact of this vulnerability primarily involves potential disruption of automated data processing and integration workflows that rely on jq version 1.8.0. Industries with heavy reliance on JSON data manipulation—such as finance, telecommunications, healthcare, and government services—may experience service interruptions or degraded reliability if vulnerable jq instances are exploited. Although the vulnerability does not currently have known exploits in the wild, the remote and unauthenticated nature of the flaw increases the risk of opportunistic attacks, especially in exposed environments like public-facing APIs or CI/CD systems. The limited impact on confidentiality and integrity reduces the risk of data breaches directly from this vulnerability; however, availability impacts could cascade into operational downtime or delayed processing. Additionally, jq is often embedded in container images and cloud-native toolchains, which are widely used across European enterprises, increasing the scope of affected systems. Organizations with automated deployment pipelines or those leveraging open-source tooling without strict version control are particularly at risk. The lack of an official patched release at the time of disclosure necessitates cautious mitigation to prevent exploitation.

1. Immediate mitigation involves auditing all systems and pipelines to identify usage of jq version 1.8.0. Replace or upgrade jq to the patched version once officially released or apply the patch manually from commit 499c91b if feasible. 2. Where upgrading is not immediately possible, implement input validation and sanitization on JSON data processed by jq to reduce the risk of triggering the vulnerability. 3. Employ runtime protections such as memory safety tools (e.g., AddressSanitizer) in development and testing environments to detect potential use-after-free conditions. 4. Restrict network exposure of services that utilize jq to trusted internal networks or through VPNs to minimize remote attack surface. 5. Monitor logs and system behavior for crashes or anomalies in jq-related processes that could indicate exploitation attempts. 6. Incorporate jq version checks into CI/CD pipeline security scans and container image vulnerability assessments to prevent deployment of vulnerable versions. 7. Engage with vendors or open-source maintainers to track the release of official patched versions and apply updates promptly. 8. Educate development and operations teams about the risks associated with using outdated jq versions and encourage best practices in dependency management.