{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9403", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-08-24T15:01:34.848Z", "datePublished": "2025-08-25T02:02:07.038Z", "dateUpdated": "2025-08-25T16:48:14.466Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-25T02:02:07.038Z"}, "title": "jqlang jq JSON jq_test.c run_jq_tests assertion", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-617", "lang": "en", "description": "Reachable Assertion"}]}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": "1.0", "status": "affected"}, {"version": "1.1", "status": "affected"}, {"version": "1.2", "status": "affected"}, {"version": "1.3", "status": "affected"}, {"version": "1.4", "status": "affected"}, {"version": "1.5", "status": "affected"}, {"version": "1.6", "status": "affected"}], "modules": ["JSON Parser"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well."}, {"lang": "de", "value": "In jqlang jq bis 1.6 ist eine Schwachstelle entdeckt worden. Es geht hierbei um die Funktion run_jq_tests der Datei jq_test.c der Komponente JSON Parser. Durch das Beeinflussen mit unbekannten Daten kann eine reachable assertion-Schwachstelle ausgenutzt werden. Umgesetzt werden muss der Angriff lokal. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-08-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-08-24T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-08-24T17:06:41.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "xdcao (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.321239", "name": "VDB-321239 | jqlang jq JSON jq_test.c run_jq_tests assertion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.321239", "name": "VDB-321239 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.633170", "name": "Submit #633170 | JQ JQ version 1.6 and the newest master. Assertion Failure", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jqlang/jq/issues/3393", "tags": ["issue-tracking"]}, {"url": "https://drive.google.com/file/d/1r8m9PhU_rk-QPj6OMcs415FcvWPD-zJY/view?usp=sharing", "tags": ["exploit"]}]}, "adp": [{"references": [{"url": "https://github.com/jqlang/jq/issues/3393", "tags": ["exploit"]}, {"url": "https://vuldb.com/?submit.633170", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-25T16:48:11.181638Z", "id": "CVE-2025-9403", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T16:48:14.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9403", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-25T16:48:11.181638Z"}}}], "references": [{"url": "https://github.com/jqlang/jq/issues/3393", "tags": ["exploit"]}, {"url": "https://vuldb.com/?submit.633170", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T16:48:05.328Z"}}], "cna": {"title": "jqlang jq JSON jq_test.c run_jq_tests assertion", "credits": [{"lang": "en", "type": "reporter", "value": "xdcao (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "jqlang", "modules": ["JSON Parser"], "product": "jq", "versions": [{"status": "affected", "version": "1.0"}, {"status": "affected", "version": "1.1"}, {"status": "affected", "version": "1.2"}, {"status": "affected", "version": "1.3"}, {"status": "affected", "version": "1.4"}, {"status": "affected", "version": "1.5"}, {"status": "affected", "version": "1.6"}]}], "timeline": [{"lang": "en", "time": "2025-08-24T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-08-24T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-08-24T17:06:41.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.321239", "name": "VDB-321239 | jqlang jq JSON jq_test.c run_jq_tests assertion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.321239", "name": "VDB-321239 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.633170", "name": "Submit #633170 | JQ JQ version 1.6 and the newest master. Assertion Failure", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jqlang/jq/issues/3393", "tags": ["issue-tracking"]}, {"url": "https://drive.google.com/file/d/1r8m9PhU_rk-QPj6OMcs415FcvWPD-zJY/view?usp=sharing", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well."}, {"lang": "de", "value": "In jqlang jq bis 1.6 ist eine Schwachstelle entdeckt worden. Es geht hierbei um die Funktion run_jq_tests der Datei jq_test.c der Komponente JSON Parser. Durch das Beeinflussen mit unbekannten Daten kann eine reachable assertion-Schwachstelle ausgenutzt werden. Umgesetzt werden muss der Angriff lokal. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "Reachable Assertion"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-25T02:02:07.038Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9403", "state": "PUBLISHED", "dateUpdated": "2025-08-25T16:48:14.466Z", "dateReserved": "2025-08-24T15:01:34.848Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-08-25T02:02:07.038Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED1F6664-2E8D-4E34-92AA-EBF3FB55F1B0", "versionEndIncluding": "1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en jqlang (hasta la versi\u00f3n 1.6). La funci\u00f3n run_jq_tests del archivo jq_test.c del componente JSON Parser se ve afectada. La manipulaci\u00f3n puede generar una aserci\u00f3n accesible. El ataque requiere acceso local. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Otras versiones tambi\u00e9n podr\u00edan verse afectadas."}], "id": "CVE-2025-9403", "lastModified": "2025-09-12T20:11:28.547", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-08-25T03:15:37.160", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit"], "url": "https://drive.google.com/file/d/1r8m9PhU_rk-QPj6OMcs415FcvWPD-zJY/view?usp=sharing"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/jqlang/jq/issues/3393"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.321239"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.321239"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.633170"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/jqlang/jq/issues/3393"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.633170"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jq: assertion failure in run_jq_tests() of the file jq_test.c", "id": "2390651", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2390651"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-617", "details": ["A vulnerability has been identified in the jq JSON processor where malformed JSON input containing invalid Unicode escape sequences can trigger an assertion failure in the test suite\u2019s parsing consistency checks. This flaw arises from inconsistencies between expected and reparsed JSON values during serialization and deserialization, potentially allowing an attacker to exploit the issue by supplying specially crafted JSON data to cause abnormal termination or denial of service during test execution, highlighting weaknesses in jq\u2019s parsing reliability."], "mitigation": {"lang": "en:us", "value": "No action is required for production users, as the vulnerability only affects jq\u2019s internal test framework and does not impact its core JSON processing functionality. Standard deployments of jq remain unaffected. Developers and testers are advised to avoid running the test suite with untrusted or malformed JSON input until a fix is applied."}, "name": "CVE-2025-9403", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:trusted_application_pipeline:1", "fix_state": "Fix deferred", "package_name": "rhtap-cli/rhtap-cli-rhel9", "product_name": "Red Hat Trusted Application Pipeline"}], "public_date": "2025-08-25T02:02:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-9403\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9403\nhttps://drive.google.com/file/d/1r8m9PhU_rk-QPj6OMcs415FcvWPD-zJY/view?usp=sharing\nhttps://github.com/jqlang/jq/issues/3393\nhttps://vuldb.com/?ctiid.321239\nhttps://vuldb.com/?id.321239\nhttps://vuldb.com/?submit.633170"], "statement": "This vulnerability is limited to jq\u2019s internal test framework and does not affect jq\u2019s core functionality in production use. Exploitation requires supplying malformed JSON with invalid Unicode escape sequences during test execution, which can trigger an assertion failure and abnormal termination of the test suite. The issue is rated Low severity as it only causes test crashes in debug or development environments, without exposing sensitive data, compromising system integrity, or affecting jq\u2019s normal JSON processing in production.", "threat_severity": "Low"}