VDE-2025-077 | CERT@VDE

2025-09-09 06:00 (CEST) VDE-2025-077

Phoenix Contact: Two vulnerabilities in the jq JSON processor utilized by FL MGUARD 110x devices

Share: Email | Twitter

ID

VDE-2025-077

Published

2025-09-09 06:00 (CEST)

Last update

2025-09-08 11:07 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	FL MGUARD 1102	< 1.8.1
	FL MGUARD 1105	< 1.8.1

Summary

The jq JSON processor, which is used to migrate firmware configurations in the product, contains 2 vulnerabilities that can be exploited by an authenticated attacker.

Vulnerabilities

CVE-2025-48060

7.5

Last Update

8. September 2025 11:04

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Out-of-bounds Write (CWE-787)

Summary

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function jv_string_vfmt in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 void* p = malloc(sz);. As of time of publication, no patched versions are available.

Details

nvd.nist.gov

CVE-2024-23337

6.5

Last Update

8. September 2025 11:03

Severity

6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Weakness

Integer Overflow or Wraparound (CWE-190)

Summary

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.

Details

nvd.nist.gov

Impact

An authenticated attacker can cause a denial of service.

Solution

Remediation

Phoenix Contact strongly recommends upgrading affected mGuard devices to firmware version 1.8.1 or higher which fixes this vulnerability.

Reported by

CERT@VDE coordinated with Phoenix Contact