jq Unbounded Recursion Vulnerability in Object Merge Operation Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in jq, a command-line JSON processor, in versions through 1.8.1. The issue arises from unbounded recursion in the 'jv_object_merge_recursive()' function, which merges nested objects without a depth limit. This flaw can be exploited by crafting a jq program that causes the process to crash with a segmentation fault. The vulnerability is triggered using the '*' operator when both operands are objects, leading to a stack overflow and process termination.

Impact

Exploitation of this vulnerability causes a segmentation fault, terminating the jq process. While this crash is not exploitable for code execution on modern systems due to stack guard pages, it disrupts any workflows relying on jq for JSON processing.

Reproduction

To reproduce this vulnerability, create a jq program that uses the '*' operator to merge a deeply nested object with itself. This can be done by using the 'reduce' function to build an object 75,000 levels deep, then applying the '*' operator to trigger the recursive merge. Save this program as 'poc.jq' and run it with jq 1.8.1 on a x86_64 Linux system. The process will crash with a segmentation fault, which can be confirmed using AddressSanitizer and GDB.