Jq
Monthly
Buffer overflow in jq 1.8.1 and earlier allows local attackers to cause denial of service by providing a crafted JSON number literal with INT_MAX-1 (2147483646) digits, triggering integer overflow in the D2U() macro that bypasses heap-allocation checks and writes approximately 1.4 GiB of attacker-controlled data to the stack, corrupting memory far below the stack frame.
Input validation bypass in jq command-line JSON processor allows attackers to craft JSON with embedded NUL bytes that jq incorrectly truncates, validating only a benign prefix while silently discarding malicious trailing data. Versions before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b are affected; the vulnerability enables parser differential attacks where jq validates hostile input as safe JSON, but downstream consumers process the complete input including injected payloads. With low CVSS (2.9) and attack timing complexity, exploitation risk remains moderate in scenarios where jq serves as a validation gate for untrusted JSON forwarded to other processors.
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attackers to crash processes or potentially achieve code execution via crafted queries producing strings exceeding 2^31 bytes. Integer overflow in jvp_string_append() and jvp_string_copy_replace_bad() functions causes undersized buffer allocation followed by heap corruption. Publicly available exploit code exists (SSVC: POC). EPSS score of 0.04% (12th percentile) suggests low observe
jq is a command-line JSON processor. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
jq is a command-line JSON processor. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.
Buffer overflow in jq 1.8.1 and earlier allows local attackers to cause denial of service by providing a crafted JSON number literal with INT_MAX-1 (2147483646) digits, triggering integer overflow in the D2U() macro that bypasses heap-allocation checks and writes approximately 1.4 GiB of attacker-controlled data to the stack, corrupting memory far below the stack frame.
Input validation bypass in jq command-line JSON processor allows attackers to craft JSON with embedded NUL bytes that jq incorrectly truncates, validating only a benign prefix while silently discarding malicious trailing data. Versions before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b are affected; the vulnerability enables parser differential attacks where jq validates hostile input as safe JSON, but downstream consumers process the complete input including injected payloads. With low CVSS (2.9) and attack timing complexity, exploitation risk remains moderate in scenarios where jq serves as a validation gate for untrusted JSON forwarded to other processors.
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attackers to crash processes or potentially achieve code execution via crafted queries producing strings exceeding 2^31 bytes. Integer overflow in jvp_string_append() and jvp_string_copy_replace_bad() functions causes undersized buffer allocation followed by heap corruption. Publicly available exploit code exists (SSVC: POC). EPSS score of 0.04% (12th percentile) suggests low observe
jq is a command-line JSON processor. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
jq is a command-line JSON processor. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.