VYPR

rpm package

opensuse/jq&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/jq&distro=openSUSE%20Tumbleweed

Vulnerabilities (21)

  • CVE-2026-44777MedMay 11, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.

  • CVE-2026-43896MedMay 11, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

  • CVE-2026-43895MedMay 11, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import str

  • CVE-2026-43894MedMay 11, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the f

  • CVE-2026-41257MedMay 11, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc

  • CVE-2026-41256MedMay 11, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only t

  • CVE-2026-40612MedMay 11, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

  • CVE-2026-40164HigApr 14, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supp

  • CVE-2026-33948MedApr 14, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead

  • CVE-2026-39979MedApr 13, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which r

  • CVE-2026-39956MedApr 13, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely

  • CVE-2026-33947MedApr 13, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An att

  • CVE-2026-32316HigApr 13, 2026
    affected < 1.8.1-3.1fixed 1.8.1-3.1

    jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer o

  • CVE-2025-49014MedJun 19, 2025
    affected < 1.8.1-1.1fixed 1.8.1-1.1

    jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

  • CVE-2025-48060May 21, 2025
    affected < 1.8.1-1.1fixed 1.8.1-1.1

    jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication,

  • CVE-2024-23337May 21, 2025
    affected < 1.8.1-1.1fixed 1.8.1-1.1

    jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch fo

  • CVE-2024-53427Feb 26, 2025
    affected < 1.7.1-3.1fixed 1.7.1-3.1

    decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input ha

  • CVE-2023-50268Dec 13, 2023
    affected < 1.7.1-1.1fixed 1.7.1-1.1

    jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.

  • CVE-2023-50246Dec 13, 2023
    affected < 1.7.1-1.1fixed 1.7.1-1.1

    jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

  • CVE-2016-4074HigMay 6, 2016
    affected < 1.6-2.9fixed 1.6-2.9

    The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0.

Page 1 of 2