jq Stack Overflow Vulnerability in Module Loader Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in jq, a command-line JSON processor, in versions through 1.8.2rc1. The issue arises in the ordinary module loader, which fails to detect cycles when two valid modules include each other. This lack of cycle detection allows for unbounded recursion, leading to stack exhaustion and crashing the jq process. The vulnerability can be exploited by creating a pair of mutually including modules and loading them with jq.

Impact

Exploitation of this vulnerability causes the jq process to crash due to stack exhaustion from unbounded recursion, disrupting any workflow that relies on jq for processing JSON.

Reproduction

The vulnerability can be reproduced by building jq with AddressSanitizer and UndefinedBehaviorSanitizer enabled. After compiling jq, create a 'witness' directory containing two files, 'a.jq' and 'b.jq', which include each other. Then, run jq with the '-L' option to load the 'witness' directory and execute a command that triggers the mutual inclusion, causing a stack overflow.