Patch taken from 
https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e

From 499c91bca9d4d027833bc62787d1bb075c03680e Mon Sep 17 00:00:00 2001
From: Mattias Wadman <mattias.wadman@gmail.com>
Date: Thu, 19 Jun 2025 00:11:01 +0200
Subject: [PATCH] Fixes CVE-2025-49014 which was introduced in 1.8.0

---
 src/builtin.c | 6 ++++--
 tests/jq.test | 8 ++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

--- jq-1.8.0/src/builtin.c.orig
+++ jq-1.8.0/src/builtin.c
@@ -1769,6 +1769,7 @@
     return ret_error(b, jv_string("strftime/1 requires parsed datetime inputs"));
 
   const char *fmt = jv_string_value(b);
+  int fmt_not_empty = *fmt != '\0';
   size_t max_size = strlen(fmt) + 100;
   char *buf = jv_mem_alloc(max_size);
 #ifdef __APPLE__
@@ -1789,7 +1790,7 @@
 #endif
   jv_free(b);
   /* POSIX doesn't provide errno values for strftime() failures; weird */
-  if ((n == 0 && *fmt) || n > max_size) {
+  if ((n == 0 && fmt_not_empty) || n > max_size) {
     free(buf);
     return jv_invalid_with_msg(jv_string("strftime/1: unknown system failure"));
   }
@@ -1818,12 +1819,13 @@
   if (!jv2tm(a, &tm, 1))
     return ret_error(b, jv_string("strflocaltime/1 requires parsed datetime inputs"));
   const char *fmt = jv_string_value(b);
+  int fmt_not_empty = *fmt != '\0';
   size_t max_size = strlen(fmt) + 100;
   char *buf = jv_mem_alloc(max_size);
   size_t n = strftime(buf, max_size, fmt, &tm);
   jv_free(b);
   /* POSIX doesn't provide errno values for strftime() failures; weird */
-  if ((n == 0 && *fmt) || n > max_size) {
+  if ((n == 0 && fmt_not_empty) || n > max_size) {
     free(buf);
     return jv_invalid_with_msg(jv_string("strflocaltime/1: unknown system failure"));
   }
--- jq-1.8.0/tests/jq.test.orig
+++ jq-1.8.0/tests/jq.test
@@ -2495,3 +2495,11 @@
 3
 2
 4
+
+# regression test for CVE-2025-49014 (use of fmt after free)
+# tests with both empty string literal and empty string created by function
+# as they seems to behave referecne wise differently.
+strflocaltime("" | ., @uri)
+0
+""
+""