jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()

...

SUSE CVE-2026-33947

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jvsetpath, jvgetpath, and delpathssorted in jq's src/jvaux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON...

CVE-2026-33947

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jvsetpath, jvgetpath, and delpathssorted in jq's src/jvaux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON...

CVE-2026-33947

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jvsetpath, jvgetpath, and delpathssorted in jq's src/jvaux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON...

CVE-2026-33947 jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jvsetpath, jvgetpath, and delpathssorted in jq's src/jvaux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON...

CVE-2026-33947

Vulnerability summary (CVE-2026-33947) : In jq ≤ 1.8.1, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in src/jv_aux.c perform unbounded recursion whose depth is driven by a caller-supplied path array. A crafted JSON input (flat array ~65,000 integers, ~200 KB) used as a path argumen...

PT-2026-32541

Name of the Vulnerable Software and Affected Versions jq versions 1.8.1 and earlier Description A command-line JSON processor is subject to a denial of service. The functions jv setpath, jv getpath, and delpaths sorted in src/jv aux.c use unbounded recursion where the depth is controlled by the...

EUVD-2025-26876

Malicious code in bioql PyPI...

Hono 安全漏洞

Hono is a web framework written in TypeScript from the Hono community. A security vulnerability exists in Hono 4.9.5 and earlier versions, which stems from an error in the path resolution of the getPath function and could lead to bypassing proxy ACLs...

CVE-2025-58362 Hono contains a flaw in URL path parsing, potentially leading to path confusion

Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. The original implementation relie...

CVE-2025-58362 Hono contains a flaw in URL path parsing, potentially leading to path confusion

Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. The original implementation relie...

CVE-2025-58362 Hono contains a flaw in URL path parsing, potentially leading to path confusion

Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. The original implementation relie...

Use of Incorrectly-Resolved Name or Reference

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via the getPath function in the utils/url.ts file. An attacker can gain unauthorized access to protected endpoints by sending specially craft...

CVE-2022-21191

A flaw was found in global-modules-path. This issue may allow command injection via getPath due to missing input sanitization or other checks and sandboxes being employed to the getPath function...

Command Injection

global-modules-path is vulnerable to Command Injection. The vulnerability exists due to the insecure usage of execSync in index.js, allowing an attacker to inject and execute malicious commands such as getPath"something & touch abc", "somethingElse & touch def"...

CVE-2022-21191

Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function...

CVE-2022-21191

CVE-2022-21191 concerns the npm package global-modules-path . Versions prior to 3.0.0 are vulnerable to a Command Injection via the internal getPath function caused by missing input sanitization and sandboxing. The result is a high-risk condition, with confirmed references across multiple sources...

PT-2023-12664 · Unknown · Global-Modules-Path

Name of the Vulnerable Software and Affected Versions: global-modules-path versions prior to 3.0.0 Description: The issue is related to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function. This allows for potential exploitation...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function. PoC js var root = require"global-modules-path" root.getPath"& touch JHU","& touch exploit" Remediation Upgrade...

Disclosure of users files when deleting parent folders of shared files - ownCloud

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that...