Primary

Context

jq Integer Overflow Vulnerability in jv_array_set Function Allowing Denial-of-Service

Vulnerability

Patched

A signed integer overflow vulnerability has been identified in jq, a command-line JSON processor, in versions through 1.7.1. The issue arises when an index value of 2147483647, the maximum for signed integers, is used to assign a value in an array. This overflow leads to a segmentation fault, causing a denial-of-service condition. The vulnerability has been patched in commit de21386681c0df0104a99d9d09db23a9b2a78b1e.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using jq version 1.7.1 and running a command that assigns a value using the index 2147483647. This can be done with the command 'jq -n '.[2147483647]=1'', which triggers the integer overflow and causes jq to crash with a segmentation fault.

Remediation

Users can upgrade to jq version 1.8.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

jq Integer Overflow Vulnerability in jv_array_set Function Allowing Denial-of-Service

Vulnerability

Impact

Reproduction

Remediation

Affected Products

jqlang jq

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating