What is CVE-2025-48060?

CVE-2025-48060 is a vulnerability in Jqlang Jq, classified under Stack-based Buffer Overflow. Published 2025-05-21.

Is CVE-2025-48060 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Buffer overflow in Jqlang Jq

CVE-2025-48060

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p =…

Vulnerability class: Buffer Overflow

EPSS: 0.006 (69.5th percentile) — read the EPSS interpretation.

Affected products

Jqlang Jq — versions <= 1.7.1

Weakness classification (CWE)

CWE-121 — Stack-based Buffer Overflow

Public proof-of-concept exploits

leorivass/jq-els-backport-cve-2025-48060
runwhen-contrib/helm-charts
w4zu/Debian_

References

https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2025-48060?: CVE-2025-48060 is a vulnerability in Jqlang Jq, classified under Stack-based Buffer Overflow. Published 2025-05-21.
Is CVE-2025-48060 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.