{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33947", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-04-13T21:50:18.814Z", "dateUpdated": "2026-04-14T13:45:13.483Z"}, "containers": {"cna": {"title": "jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg"}, {"name": "https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f"}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": "< fb59f1491058d58bdc3e8dd28f1773d1ac690a1f", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T21:50:18.814Z"}, "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f."}], "source": {"advisory": "GHSA-xwrw-4f8h-rjvg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:45:08.694594Z", "id": "CVE-2026-33947", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:45:13.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33947", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T13:45:08.694594Z"}}}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:45:04.463Z"}}], "cna": {"title": "jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()", "source": {"advisory": "GHSA-xwrw-4f8h-rjvg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"status": "affected", "version": "< fb59f1491058d58bdc3e8dd28f1773d1ac690a1f"}]}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg", "name": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f", "name": "https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T21:50:18.814Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33947", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:45:13.483Z", "dateReserved": "2026-03-24T19:50:52.105Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T21:50:18.814Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f."}], "id": "CVE-2026-33947", "lastModified": "2026-04-14T15:16:28.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T22:16:29.157", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f"}, {"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jq: unbounded Recursion in jv_setpath() / jv_getpath() / delpaths_sorted()", "id": "2458038", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458038"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-674", "details": ["A flaw was found in jq, a command line JSON processor. Processing a crafted JSON document, specifically when a large array is used as a path argument to the `jv_setpath`, `jv_getpath` and `delpaths_sorted` functions can lead to an uncontrolled recursion and exhausts the call stack, causing an application crash and resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Do not process untrusted input with the jq command line JSON processor."}, "name": "CVE-2026-33947", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-13T21:50:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33947\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33947\nhttps://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f\nhttps://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg"], "statement": "To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq with the `setpath`, `getpath` or `delpaths` builtins. This allows the attacker to cause an application crash with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "< fb59f1491058d58bdc3e8dd28f1773d1ac690a1f"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "jq", "source": "cna", "vendor": "jqlang"}, "product": "jq", "vendor": "jqlang"}], "analysis": {"en": {"generated_at": "2026-04-14T00:20:35.011302+00:00", "value": {"mitigation_remediation": ["Upgrade jq to version 1.8.2 or later, which incorporates a limit on recursion depth for setpath, getpath, and delpaths functions.", "If an upgrade is not immediately possible, validate or truncate any path arrays before passing them to jq to keep recursion depth within a safe bound.", "Ensure that applications using jq\u2019s setpath, getpath, or delpaths built\u2011ins run the command in a sandboxed or isolated process that can be restarted if a crash occurs."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the jq JSON processor supplied by the jqlang project. Any deployment of jq version 1.8.1 or earlier is susceptible. This includes any application or service that incorporates jq and passes untrusted JSON through the setpath, getpath, or delpaths built\u2011in functions, regardless of the operating system or environment.", "description_and_impact": "jq is a command\u2011line JSON processor in which, up to and including version 1.8.1, the internal functions jv_setpath, jv_getpath, and delpaths_sorted perform recursive traversals that are bounded only by the length of a caller\u2011supplied path array. An attacker can construct a JSON document containing a flat array of roughly 65,000 integers (about 200\u202fKB) and use it as a path argument for a trusted jq filter. This causes the functions to recurse deeply, exhausting the C call stack and resulting in a segmentation fault. The failure is unrecoverable, bringing the process to a halt, and therefore constitutes a denial\u2011of\u2011service condition. The weakness is identified as CWE\u2011674: Uncontrolled Recursion.", "risk_and_exploitability": "The CVSS base score of 6.2 reflects moderate severity. No EPSS score is available, and the issue is not listed in CISA\u2019s KEV catalog. Attackers can trigger the crash by providing a crafted JSON payload to any service that evaluates it with jq. Because the recursion depth is not bounded at runtime, an attacker can perform the exploit from a remote connection that feeds JSON to the service or, locally, from any input channel that reaches the vulnerable jq functions. The impact remains a service outage, and given the ease of creating the payload and lack of additional mitigations in affected releases, the risk of exploitation remains significant."}}}}, "created": "2026-04-14T16:17:04.248113+00:00", "updated": "2026-04-14T16:32:55.540760+00:00", "vendors": ["jqlang", "jqlang$PRODUCT$jq"]}