jq, a lightweight and flexible command-line JSON processor, contains two security vulnerabilities: a signed integer overflow in the jvp_array_write function (CVE-2024-23337) and a stack-buffer-overflow in jq_fuzz_execute detected by AddressSanitizer (CVE-2025-48060). These issues affect Red Hat Enterprise Linux 9 and related CodeReady Linux Builder products across multiple architectures. Red Hat Product Security has rated these vulnerabilities as having moderate security impact and has released updated jq packages to remediate the issues. The advisory references detailed CVE pages for further information and provides links to updated packages. No cloud service is involved, and no known exploitation in the wild has been reported.

The vulnerabilities could potentially lead to memory corruption issues such as buffer overflows and integer overflows within the jq utility, which might be exploited to cause application crashes or other unintended behavior. However, Red Hat rates the security impact as moderate, and no known exploits are currently reported in the wild. The affected jq versions are included in Red Hat Enterprise Linux 9 and related products across multiple hardware architectures.

Red Hat has released updated jq packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 9 and related products should apply the updates as described in the Red Hat advisory RHSA-2025:10585 and the referenced article https://access.redhat.com/articles/11258. Since this is an official fix, applying the update fully mitigates the vulnerabilities. There is no indication that additional mitigations are required beyond applying the vendor-provided patches.