jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
1.6-2.1ubuntu21.6-2.1ubuntu31.6-2.1ubuntu3.11.6-2.1ubuntu3.21.6-31.7-11.7.1-21.7.1-31.7.1-3build11.7.1-3ubuntu0.24.04.11.7.1-3ubuntu0.24.04.21.7.1-3ubuntu11.7.1-6ubuntu11.8.1-3ubuntu11.8.1-3ubuntu1.11.8.1-3ubuntu11.8.1-4ubuntu11.2-81.3-11.3-1.1ubuntu11.3-1.1ubuntu1.11.3-1.1ubuntu1.1+esm31.3-1.1ubuntu1.1+esm41.4-2.11.5+dfsg-11.5+dfsg-1ubuntu0.11.5+dfsg-1ubuntu0.1+esm21.5+dfsg-1ubuntu0.1+esm31.5+dfsg-1ubuntu0.1+esm41.5+dfsg-21.5+dfsg-2ubuntu0.1~esm11.5+dfsg-2ubuntu0.1~esm21.5+dfsg-2build11.6-11.6-1ubuntu0.20.04.11.6-1ubuntu0.20.04.1+esm11.6-1ubuntu0.20.04.1+esm2Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:HCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H