CVE-2025-9403
Published: August 26, 2025Last modified: September 2, 2025
Description
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | NONE |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Notes
From Redhat: Statement This vulnerability is limited to jq’s internal test framework and does not affect jq’s core functionality in production use. Exploitation requires supplying malformed JSON with invalid Unicode escape sequences during test execution, which can trigger an assertion failure and abnormal termination of the test suite. The issue is rated Low severity as it only causes test crashes in debug or development environments, without exposing sensitive data, compromising system integrity, or affecting jq’s normal JSON processing in production. Mitigation No action is required for production users, as the vulnerability only affects jq’s internal test framework and does not impact its core JSON processing functionality. Standard deployments of jq remain unaffected. Developers and testers are advised to avoid running the test suite with untrusted or malformed JSON input until a fix is applied. - https://access.redhat.com/security/cve/CVE-2025-9403
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | jq | Vulnerable (1.6-r2) |
| 25 LTS | jq | Vulnerable (1.7.1-r0) | |
| Stream | jq | Vulnerable (1.6-r1) |