jqlang CVE Vulnerabilities & Metrics

Focus on jqlang vulnerabilities and metrics.

Last updated: 29 Jun 2025, 22:25 UTC

About jqlang Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with jqlang. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total jqlang CVEs: 5
Earliest CVE date: 11 Dec 2023, 07:15 UTC
Latest CVE date: 21 May 2025, 18:15 UTC

Latest CVE reference: CVE-2025-48060

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): -33.33%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): -33.33%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical jqlang CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS jqlang CVEs

These are the five CVEs with the highest CVSS scores for jqlang, sorted by severity first and recency.

CVE-2025-48060 jqlang Published on 21 May 2025, 18:15 UTC (CVSS: 0)
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.
CVE-2024-23337 jqlang Published on 21 May 2025, 15:16 UTC (CVSS: 0)
jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.
CVE-2023-50268 jqlang Published on 13 Dec 2023, 21:15 UTC (CVSS: 0)
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
CVE-2023-50246 jqlang Published on 13 Dec 2023, 21:15 UTC (CVSS: 0)
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
CVE-2023-49355 jqlang Published on 11 Dec 2023, 07:15 UTC (CVSS: 0)
decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.

All CVEs for jqlang

CVE-2025-48060 jqlang vulnerability CVSS: 0 21 May 2025, 18:15 UTC

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

CVE-2024-23337 jqlang vulnerability CVSS: 0 21 May 2025, 15:16 UTC

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.

CVE-2023-50268 jqlang vulnerability CVSS: 0 13 Dec 2023, 21:15 UTC

jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.

CVE-2023-50246 jqlang vulnerability CVSS: 0 13 Dec 2023, 21:15 UTC

jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

CVE-2023-49355 jqlang vulnerability CVSS: 0 11 Dec 2023, 07:15 UTC

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.