jq 安全漏洞

jq is a lightweight and flexible command-line JSON processor developed by jqlang. There is a security vulnerability in jq, which stems from the lack of parameter type validation in the strindices built-in function. This vulnerability may lead to crashes or uncontrolled pointer dereferencing...

EUVD-2025-18920

Malicious code in bioql PyPI...

CVE-2025-61592

Cursor CLI (versions ≤ 1.7) is vulnerable to Remote Code Execution via automatic loading of project-specific CLI configuration from /.cursor/cli.json that can override global settings. The underlying issue is permissive configuration combined with prompt injection delivered through project rules ...

Azure Linux 3.0 Security Update: jq (CVE-2024-23337)

The version of jq installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-23337 advisory. - jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when...

CVE-2025-49014 jq heap use after free vulnerability in f_strflocaltime

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function fstrflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication...

CVE-2025-49014

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function fstrflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication...

PT-2025-26220

Name of the Vulnerable Software and Affected Versions jq version 1.8.0 Description A heap use after free issue exists within the function f strflocaltime of /src/builtin.c. This is a problem in a command-line JSON processor. Recommendations For version 1.8.0, consider restricting access to the f...

CVE-2025-48060

CVE-2025-48060 affects jq up to version 1.7.1, where a heap-buffer-overflow in the jv_string_vfmt path can crash the process when formatting strings (OSS-Fuzz harness). The issue is triggered in jq_fuzz_execute and references malloc in jv.c. As of publication, no patch existed in the initial desc...

CVE-2025-48060 AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function jvstringvfmt in the jqfuzzexecute harness from oss-fuzz. This crash happens on file jv.c, line 1456 void p = mallocsz;. As of time of publication, no patched versions are...

CVE-2024-23337

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue...

CVE-2023-50246

jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue...

CVE-2023-50246 jq has heap-buffer-overflow vulnerability in the function decToString in decNumber.c

jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue...