Jqlang Jq vulnerabilities

CVE-2026-40164 [HIGH] CWE-328 CVE-2026-40164: jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same b

CVE-2026-33948 [LOW] CWE-20 CVE-2026-33948: jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the

CVE-2026-32316 [HIGH] CWE-122 CVE-2026-32316: jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastica

CVE-2026-39979 [MEDIUM] CWE-125 CVE-2026-39979: jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-

CVE-2026-33947 [MEDIUM] CWE-674 CVE-2026-33947: jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 int

CVE-2026-39956 [MEDIUM] CWE-125 CVE-2026-39956: jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -D

CVE-2025-9403 [MEDIUM] CWE-617 CVE-2025-9403: A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.

CVE-2025-49014 [MEDIUM] CWE-416 CVE-2025-49014: jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists wit jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

CVE-2025-48060 [HIGH] CWE-121 CVE-2025-48060: jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow i jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

CVE-2024-23337 [MEDIUM] CWE-190 CVE-2024-23337: jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow aris jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.

CVE-2024-53427 [HIGH] CWE-843 CVE-2024-53427: decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately fo

CVE-2023-50268 [MEDIUM] CWE-120 CVE-2023-50268: jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in bui jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.

CVE-2023-50246 [MEDIUM] CWE-120 CVE-2023-50246: jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Versio jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

CVE-2023-49355 [HIGH] CWE-787 CVE-2023-49355: decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1 decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.

CVE-2015-8863 [CRITICAL] CVE-2015-8863: Off-by-one error in the tokenadd function in jv_parse Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (crash) via a long JSON-encoded number, which triggers a heap-based buffer overflow.

CVE-2016-4074 [HIGH] CVE-2016-4074: The jv_dump_term function in jq 1 The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0.