Description
jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
Published: 2026-04-13
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

jq is a command‑line JSON processor in which, up to and including version 1.8.1, the internal functions jv_setpath, jv_getpath, and delpaths_sorted perform recursive traversals that are bounded only by the length of a caller‑supplied path array. An attacker can construct a JSON document containing a flat array of roughly 65,000 integers (about 200 KB) and use it as a path argument for a trusted jq filter. This causes the functions to recurse deeply, exhausting the C call stack and resulting in a segmentation fault. The failure is unrecoverable, bringing the process to a halt, and therefore constitutes a denial‑of‑service condition. The weakness is identified as CWE‑674: Uncontrolled Recursion.

Affected Systems

The vulnerability affects the jq JSON processor supplied by the jqlang project. Any deployment of jq version 1.8.1 or earlier is susceptible. This includes any application or service that incorporates jq and passes untrusted JSON through the setpath, getpath, or delpaths built‑in functions, regardless of the operating system or environment.

Risk and Exploitability

The CVSS base score of 6.2 reflects moderate severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog. Attackers can trigger the crash by providing a crafted JSON payload to any service that evaluates it with jq. Because the recursion depth is not bounded at runtime, an attacker can perform the exploit from a remote connection that feeds JSON to the service or, locally, from any input channel that reaches the vulnerable jq functions. The impact remains a service outage, and given the ease of creating the payload and lack of additional mitigations in affected releases, the risk of exploitation remains significant.

Generated by OpenCVE AI on April 14, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jq to version 1.8.2 or later, which incorporates a limit on recursion depth for setpath, getpath, and delpaths functions.
  • If an upgrade is not immediately possible, validate or truncate any path arrays before passing them to jq to keep recursion depth within a safe bound.
  • Ensure that applications using jq’s setpath, getpath, or delpaths built‑ins run the command in a sandboxed or isolated process that can be restarted if a crash occurs.

Generated by OpenCVE AI on April 14, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
Title jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:45:13.483Z

Reserved: 2026-03-24T19:50:52.105Z

Link: CVE-2026-33947

cve-icon Vulnrichment

Updated: 2026-04-14T13:45:04.463Z

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:29.157

Modified: 2026-04-14T15:16:28.897

Link: CVE-2026-33947

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T21:50:18Z

Links: CVE-2026-33947 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:32:55Z

Weaknesses