rpm package
opensuse/jq&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/jq&distro=openSUSE%20Tumbleweed
Vulnerabilities (21)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44777 | Med | 5.5 | < 1.8.1-3.1 | 1.8.1-3.1 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other. | |
| CVE-2026-43896 | Med | 6.2 | < 1.8.1-3.1 | 1.8.1-3.1 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects. | |
| CVE-2026-43895 | Med | 4.4 | < 1.8.1-3.1 | 1.8.1-3.1 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import str | |
| CVE-2026-43894 | Med | 6.2 | < 1.8.1-3.1 | 1.8.1-3.1 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the f | |
| CVE-2026-41257 | Med | 5.5 | < 1.8.1-3.1 | 1.8.1-3.1 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc | |
| CVE-2026-41256 | Med | 5.5 | < 1.8.1-3.1 | 1.8.1-3.1 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only t | |
| CVE-2026-40612 | Med | 5.5 | < 1.8.1-3.1 | 1.8.1-3.1 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted. | |
| CVE-2026-40164 | Hig | 7.5 | < 1.8.1-3.1 | 1.8.1-3.1 | Apr 14, 2026 | jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supp | |
| CVE-2026-33948 | Med | 5.3 | < 1.8.1-3.1 | 1.8.1-3.1 | Apr 14, 2026 | jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead | |
| CVE-2026-39979 | Med | 6.5 | < 1.8.1-3.1 | 1.8.1-3.1 | Apr 13, 2026 | jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which r | |
| CVE-2026-39956 | Med | 6.1 | < 1.8.1-3.1 | 1.8.1-3.1 | Apr 13, 2026 | jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely | |
| CVE-2026-33947 | Med | 6.2 | < 1.8.1-3.1 | 1.8.1-3.1 | Apr 13, 2026 | jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An att | |
| CVE-2026-32316 | Hig | 8.2 | < 1.8.1-3.1 | 1.8.1-3.1 | Apr 13, 2026 | jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer o | |
| CVE-2025-49014 | Med | — | < 1.8.1-1.1 | 1.8.1-1.1 | Jun 19, 2025 | jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication. | |
| CVE-2025-48060 | — | < 1.8.1-1.1 | 1.8.1-1.1 | May 21, 2025 | jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, | ||
| CVE-2024-23337 | — | < 1.8.1-1.1 | 1.8.1-1.1 | May 21, 2025 | jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch fo | ||
| CVE-2024-53427 | — | < 1.7.1-3.1 | 1.7.1-3.1 | Feb 26, 2025 | decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input ha | ||
| CVE-2023-50268 | — | < 1.7.1-1.1 | 1.7.1-1.1 | Dec 13, 2023 | jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue. | ||
| CVE-2023-50246 | — | < 1.7.1-1.1 | 1.7.1-1.1 | Dec 13, 2023 | jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue. | ||
| CVE-2016-4074 | Hig | 7.5 | < 1.6-2.9 | 1.6-2.9 | May 6, 2016 | The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0. |
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import str
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the f
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only t
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supp
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which r
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An att
- affected < 1.8.1-3.1fixed 1.8.1-3.1
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer o
- affected < 1.8.1-1.1fixed 1.8.1-1.1
jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.
- CVE-2025-48060May 21, 2025affected < 1.8.1-1.1fixed 1.8.1-1.1
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication,
- CVE-2024-23337May 21, 2025affected < 1.8.1-1.1fixed 1.8.1-1.1
jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch fo
- CVE-2024-53427Feb 26, 2025affected < 1.7.1-3.1fixed 1.7.1-3.1
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input ha
- CVE-2023-50268Dec 13, 2023affected < 1.7.1-1.1fixed 1.7.1-1.1
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
- CVE-2023-50246Dec 13, 2023affected < 1.7.1-1.1fixed 1.7.1-1.1
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
- affected < 1.6-2.9fixed 1.6-2.9
The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0.
Page 1 of 2