CVE-2025-48060

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-48060

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48060.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-48060

Aliases

GHSA-p7rr-28xf-3m5w

Downstream

ALPINE-CVE-2025-48060

BELL-CVE-2025-48060

DEBIAN-CVE-2025-48060

DLA-4307-1

ECHO-1a73-323b-ca34

OESA-2025-1809

RHSA-2025:10585

RHSA-2025:10613

RHSA-2025:10615

RHSA-2025:10616

RHSA-2025:10618

RHSA-2025:10619

RHSA-2025:10620

RHSA-2025:10621

RHSA-2025:10622

RHSA-2025:12882

RLSA-2025:10585

RLSA-2025:10618

RLSA-2025:12882

ROOT-OS-DEBIAN-12-CVE-2025-48060

UBUNTU-CVE-2025-48060

USN-7657-1

USN-7657-2

Related

Published

2025-05-21T17:32:43.602Z

Modified

2026-02-04T02:24:57.251411Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)

Details

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function jv_string_vfmt in the jqfuzzexecute harness from oss-fuzz. This crash happens on file jv.c, line 1456 void* p = malloc(sz);. As of time of publication, no patched versions are available.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48060.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-121"
    ]
}

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48060.json"