jq, the command‑line JSON processor, has a recursion flaw in its module loader. When two otherwise valid modules include each other, the loader recurses without cycle detection. The resulting stack exhaustion can force the jq process to crash, creating a denial‑of‑service condition. This weakness is classified as CWE‑674. Affected systems are installations of jq distributed by jqlang, specifically those using version 1.8.2rc1 or older. Exact version ranges are not listed in the advisory, but the vulnerability applies to releases before the fix is applied. Users who run jq on systems that process JSON containing mutual module includes are therefore exposed. The CVSS score of 5.4 places this bug in the medium severity range. EPSS data is not available, and the vulnerability is not yet listed in CISA's KEV catalog. The most plausible attack vector requires an attacker who can supply arbitrary JSON modules to a system running jq, making the flaw useful for local denial‑of‑service attacks and potentially affecting downstream services that depend on jq’s output. No publicly known exploits have been reported, but the condition can arise during legitimate processing of malicious or malformed data. The lack of a formal workaround means the next logical step is to apply an update that removes the recursion bug.

The problem exists in the jq package published by jqlang. Any deployment using jq 1.8.2rc1 or earlier is vulnerable. Because the advisory does not list explicit version numbers beyond that release, users should check the exact build they have and treat earlier releases as impacted. This includes both the command‑line tool and any wrapper scripts that invoke jq. No additional vendor or product versions are listed in the CNA data. Staff should verify whether their environment utilizes the affected jq binaries either directly or indirectly via third‑party applications. Risk assessment indicates that while the CVSS score is moderate, the exploitability is limited to contexts where jq processes untrusted or malicious JSON, which may occur in data ingestion pipelines or command‑line utilities. Since the bug triggers a stack overflow, it can terminate the process but not necessarily expose further confidentiality or integrity breaches. The lack of a readily available workaround or KEV listing suggests that the potential impact is largely mitigated by remediation actions such as patching or restricting module usage.

With a CVSS score of 5.4, the vulnerability is considered medium. EPSS data is unavailable, so the likelihood of exploitation cannot be quantified from the data set. The flaw is not currently tracked in CISA's KEV, implying no documented, actively exploited instances. Attackers would need to supply JSON modules that reference each other, which likely requires local or remote code execution privileges or the ability to influence the input fed to jq. Therefore, the practical threat is that a malicious actor could cause a denial‑of‑service by terminating binary processes that rely on jq, affecting availability of dependent services.