CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
AnalysisAI
Algorithmic complexity attack in jq JSON processor allows remote denial of service via hash collision exploitation. An attacker can craft a ~100KB JSON object with precomputed colliding keys that degrade hash table performance from O(1) to O(n²), causing severe CPU exhaustion in unauthenticated network contexts including CI/CD pipelines and web services. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all jq deployments across infrastructure, including CI/CD systems, container image processing, and API backends; document current jq version on each system. Within 7 days: Apply input size limits (reject JSON payloads >50KB) and rate limiting on jq-processing endpoints; monitor jq process CPU utilization for anomalies. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today