jq Embedded NUL Byte Vulnerability Causes JSON Validation Bypass

A vulnerability in jq, a command-line JSON processor, allows for validation bypass of JSON input through the use of embedded NUL bytes. This issue is present in versions prior to the commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b. The vulnerability arises because jq's input parsing method uses strlen() to determine buffer length, which truncates the input at the first NUL byte. As a result, only the JSON prefix before the NUL is validated, while any malicious data following the NUL is silently discarded. This creates a risk in workflows that rely on jq for JSON validation, as downstream consumers may process the full input, including the ignored trailing bytes, potentially leading to unintended consequences.

Impact

Exploitation of this vulnerability can cause validation bypass in workflows that use jq to validate untrusted JSON before further processing. An attacker could craft input with a harmless JSON prefix followed by malicious data, exploiting the difference in how jq and subsequent components handle the input.

Reproduction

The vulnerability can be reproduced by using jq to parse a JSON file or input stream that contains an embedded NUL byte. This can be done by creating a payload with a valid JSON structure followed by a NUL byte and additional data. When this payload is processed by jq, only the portion before the NUL byte is validated, allowing the trailing data to bypass scrutiny.

Remediation

Users should update to the latest version of jq, where this vulnerability has been fixed.