CVE-2025-48060
CVE Details
Visit the official vulnerability details page for CVE-2025-48060 to learn more.
Initial Publication
06/21/2025
Last Update
09/18/2025
Third Party Dependency
jq
NIST CVE Summary
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.
CVE Severity
Our Official Summary
This is a heap buffer overflow vulnerability in the jq command-line JSON processor, affecting versions up to and including 1.7.1. The flaw exists in the jv_string_vfmt function within the jq_fuzz_execute harness from oss-fuzz, where improper memory handling can lead to a crash or potentially allow arbitrary code execution.
The images where this vulnrability is have controls in place are not accessible outside the cluster. So the attacker needs to gain privileged access to the cluster to attempt this exploit. Also the containers do not allow execution of arbitrary code. Impact of this exploit is also low, since container reduces the attack surface.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.20 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.41 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 06/30/2025 | Status changed from Open to Ongoing |
| 06/30/2025 | Official summary added |