CVE-2026-33947 jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jvsetpath, jvgetpath, and delpathssorted in jq's src/jvaux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON...

PT-2026-32541

Name of the Vulnerable Software and Affected Versions jq versions 1.8.1 and earlier Description A command-line JSON processor is subject to a denial of service. The functions jv setpath, jv getpath, and delpaths sorted in src/jv aux.c use unbounded recursion where the depth is controlled by the...