Description
The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/04/24/4
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/stedolan/jq/issues/1136
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/04/24/3
Product, Third Party Advisory x_refsource_misc
https://github.com/stedolan/jq/
Patch, Third Party Advisory x_refsource_misc
https://github.com/NixOS/nixpkgs/pull/18908
Third Party Advisory x_refsource_misc
https://github.com/hashicorp/consul/issues/10263
Scores
CVSS v3
7.5
EPSS
0.0533
EPSS Percentile
91.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
Status
published
Products (1)
jq_project/jq
< 1.5
Published
May 06, 2016
Tracked Since
Feb 18, 2026