jqlang CVE Vulnerabilities & Metrics

Focus on jqlang vulnerabilities and metrics.

Last updated: 25 Nov 2025, 23:25 UTC

About jqlang Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with jqlang. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total jqlang CVEs: 7
Earliest CVE date: 11 Dec 2023, 07:15 UTC
Latest CVE date: 25 Aug 2025, 03:15 UTC

Latest CVE reference: CVE-2025-9403

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 4

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 33.33%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 33.33%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical jqlang CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.24

Max CVSS: 1.7

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	7
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS jqlang CVEs

These are the five CVEs with the highest CVSS scores for jqlang, sorted by severity first and recency.

CVE-2025-9403 jqlang Published on 25 Aug 2025, 03:15 UTC (CVSS: 1.7)
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
CVE-2025-48060 jqlang Published on 21 May 2025, 18:15 UTC (CVSS: 0)
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.
CVE-2024-23337 jqlang Published on 21 May 2025, 15:16 UTC (CVSS: 0)
jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.
CVE-2024-53427 jqlang Published on 26 Feb 2025, 16:15 UTC (CVSS: 0)
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits).
CVE-2023-50268 jqlang Published on 13 Dec 2023, 21:15 UTC (CVSS: 0)
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.

All CVEs for jqlang

CVE-2025-9403 jqlang vulnerability CVSS: 1.7 25 Aug 2025, 03:15 UTC

A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.

CVE-2025-48060 jqlang vulnerability CVSS: 0 21 May 2025, 18:15 UTC

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

CVE-2024-23337 jqlang vulnerability CVSS: 0 21 May 2025, 15:16 UTC

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.

CVE-2024-53427 jqlang vulnerability CVSS: 0 26 Feb 2025, 16:15 UTC

decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits).

CVE-2023-50268 jqlang vulnerability CVSS: 0 13 Dec 2023, 21:15 UTC

jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.

CVE-2023-50246 jqlang vulnerability CVSS: 0 13 Dec 2023, 21:15 UTC

jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

CVE-2023-49355 jqlang vulnerability CVSS: 0 11 Dec 2023, 07:15 UTC

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.