jq Unbounded Recursion Vulnerability in Path Functions Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in jq, a command-line JSON processor, affecting versions through 1.8.1. The issue arises in the 'jv_setpath()', 'jv_getpath()', and 'delpaths_sorted()' functions within 'src/jv_aux.c', where unbounded recursion can occur. This recursion depth is determined by the length of a caller-supplied path array, with no limit enforced during runtime path operations. An attacker can exploit this by supplying a JSON document containing a flat array of approximately 65,000 integers, which, when processed by a trusted jq filter, exhausts the C call stack. This flaw causes the process to crash with a segmentation fault, bypassing the existing JSON parsing depth limit of 10,000. The vulnerability affects any application or service that uses jq to process untrusted JSON input through these built-in functions, leading to an unrecoverable crash.

Impact

Exploiting this vulnerability causes an immediate and unrecoverable crash of the jq process, with a segmentation fault indicating a stack overflow. This disruption can halt any application or service relying on jq for JSON processing, especially in environments like web services, CI/CD pipelines, or shell scripts that handle untrusted data.

Reproduction

The vulnerability can be reproduced by crafting a JSON file that includes a path array of 65,000 elements. This file can be created using a Python script that generates the array and saves it as a JSON document. Once the file is prepared, a jq command can be executed that uses the 'setpath' function with the crafted path, resulting in a segmentation fault and process crash. Alternatively, the vulnerability can be triggered by directly using a jq filter that constructs a deep path array, such as 'range(65000)|0', with the 'setpath' or 'getpath' functions, or by using 'delpaths' with a similar path structure.

Remediation

Users can update to jq version 1.8.2 or later, where this vulnerability has been fixed. Instructions for updating can be found in the jq repository on GitHub.