View at Official suse advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2025-48060 severity moderate: SUSE including 263 source package names (1.0.4-3.54:jq-1.6-150000.3.9.1, 1.0.4-3.54:libjq1-1.6-150000.3.9.1, …), 485 product×package rows across 124 product lines (Container containers/suse-ai-observability-extension-setup, Container suse/sl-micro/6.0/baremetal-os-container, … (124 product lines)): Fixed 251, Known Affected 226, Known Not Affected 8.
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.