VYPR

Vendor CVEs

Jqlang

All CVEs

23 total · sorted by risk
  • CVE-2015-8863CriMay 6, 2016
    risk 0.57cvss 9.8epss 0.07

    Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (crash) via a long JSON-encoded number, which triggers a heap-based buffer overflow.

  • CVE-2016-4074HigMay 6, 2016
    risk 0.49cvss 7.5epss 0.05

    The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0.

  • CVE-2026-32316HigApr 13, 2026
    risk 0.46cvss 8.2epss 0.00

    jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer…

  • CVE-2026-40164HigApr 14, 2026
    risk 0.42cvss 7.5epss 0.00

    jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By…

  • CVE-2026-39979MedApr 13, 2026
    risk 0.35cvss 6.5epss 0.00

    jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which…

  • CVE-2026-43896MedMay 11, 2026
    risk 0.33cvss 6.2epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

  • CVE-2026-43894MedMay 11, 2026
    risk 0.33cvss 6.2epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the…

  • CVE-2026-39956MedApr 13, 2026
    risk 0.33cvss 6.1epss 0.00

    jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies…

  • CVE-2026-33947MedApr 13, 2026
    risk 0.33cvss 6.2epss 0.00

    jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An…

  • CVE-2026-44777MedMay 11, 2026
    risk 0.29cvss 5.5epss 0.00

    jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.

  • CVE-2026-41257MedMay 11, 2026
    risk 0.29cvss 5.5epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to…

  • CVE-2026-41256MedMay 11, 2026
    risk 0.29cvss 5.5epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only…

  • CVE-2026-40612MedMay 11, 2026
    risk 0.29cvss 5.5epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

  • CVE-2025-49014MedJun 19, 2025
    risk 0.29cvss epss 0.00

    jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

  • CVE-2026-33948MedApr 14, 2026
    risk 0.27cvss 5.3epss 0.00

    jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length…

  • CVE-2026-43895MedMay 11, 2026
    risk 0.22cvss 4.4epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import…

  • CVE-2025-9403LowAug 25, 2025
    risk 0.21cvss 3.3epss 0.00

    A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and…

  • CVE-2025-48060May 21, 2025
    risk 0.00cvss epss 0.00

    jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication,…

  • CVE-2024-23337May 21, 2025
    risk 0.00cvss epss 0.00

    jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch…

  • CVE-2024-53427Feb 26, 2025
    risk 0.00cvss epss 0.00

    decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input…

  • CVE-2023-50268Dec 13, 2023
    risk 0.00cvss epss 0.00

    jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.

  • CVE-2023-50246Dec 13, 2023
    risk 0.00cvss epss 0.01

    jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

  • CVE-2023-49355Dec 11, 2023
    risk 0.00cvss epss 0.01

    decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.