A 100KB file can crash servers running one of the world's most popular data tools

A single 100-kilobyte JSON file can bring down servers, crash build pipelines, and freeze web applications used by millions of people worldwide.

What's happening

Security researchers have discovered a critical vulnerability in jq, a command-line tool that processes JSON data and is used by countless developers, DevOps teams, and automated systems. The flaw allows attackers to create specially crafted JSON files that consume massive amounts of CPU power when processed, potentially causing denial-of-service attacks against any system that uses jq to handle untrusted data. Given that jq processes over 2.5 billion JSON operations daily across GitHub Actions, AWS Lambda functions, Docker containers, and web APIs, the impact could affect everything from your favorite mobile app's backend to critical infrastructure monitoring systems.

How the attack works

Think of jq's internal data processing like a library with numbered shelves. Normally, when you need to find a book, you go directly to the right shelf number—fast and efficient. But this vulnerability is like having a mischievous librarian who deliberately puts every single book on shelf number 7. Now when you need any book, you have to search through thousands of books crammed onto that one shelf.

An attacker exploits this by creating a JSON file where all the data keys are designed to land in the same internal storage bucket. Instead of jq quickly finding and processing each piece of data, it has to slowly search through an ever-growing pile. What should take milliseconds starts taking minutes or hours, consuming 100% of available CPU power until the system becomes unresponsive or crashes entirely.

The technical reality

The vulnerability stems from jq's use of MurmurHash3 with a hardcoded seed value of 0x432A9843 for JSON object hash table operations. This predictable seed allows attackers to precompute hash collisions offline, creating JSON objects where all keys map to the same bucket and degrading hash table performance from O(1) to O(n), ultimately resulting in O(n²) algorithmic complexity for jq operations. The vulnerability receives a CVSS score of 7.5 (HIGH).

Who is at risk

Any system running jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 is vulnerable. This particularly affects:

CI/CD pipelines that process JSON configuration files or API responses during builds and deployments. Web services and APIs that use jq to transform or validate JSON data from users or external sources. Data processing scripts in analytics platforms, log processing systems, and ETL pipelines. Container environments where jq is commonly installed for JSON manipulation tasks.

The risk is highest for systems that process JSON data from untrusted sources—including user uploads, API responses from third-party services, or any automated system that accepts JSON input without strict size or structure validation.

What you should do right now

1. Update jq immediately: Upgrade to jq version 1.7 or later, which includes the fix for this vulnerability. Use your package manager: apt update && apt upgrade jq on Ubuntu/Debian, brew upgrade jq on macOS, or download the latest release from GitHub.

2. Audit your infrastructure: Search for jq usage across your Docker images, CI/CD pipelines, Lambda functions, and shell scripts. Check version with jq --version and create an inventory of all instances that need updating.

3. Implement input validation: Add JSON size limits (restrict to under 1MB unless specifically needed) and consider preprocessing JSON files to detect suspicious patterns like excessive key repetition before passing them to jq operations.