Nixpkgs security tracker

Untriaged

Permalink CVE-2026-40164

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 21 hours ago

jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed

jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

References

https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29 x_refsource_CONFIRM
https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784 x_refsource_MISC

Affected products

==< 0c7d133c3c7e37c00b6d46b658a02244fdd3c784

Matching in nixpkgs

pkgs.jq

Lightweight and flexible command-line JSON processor

nixos-unstable 1.8.1
- nixpkgs-unstable 1.8.1
- nixos-unstable-small 1.8.1
nixos-25.11 1.8.1
- nixos-25.11-small 1.8.1
- nixpkgs-25.11-darwin 1.8.1

pkgs.ijq

Interactive wrapper for jq

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.jql

JSON Query Language CLI tool built with Rust

nixos-unstable 8.0.10
- nixpkgs-unstable 8.0.10
- nixos-unstable-small 8.0.10
nixos-25.11 8.0.9
- nixos-25.11-small 8.0.9
- nixpkgs-25.11-darwin 8.0.9

pkgs.jqp

TUI playground to experiment with jq

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.8.0
- nixos-25.11-small 0.8.0
- nixpkgs-25.11-darwin 0.8.0

pkgs.njq

Command-line JSON processor using nix as query language

nixos-unstable 0.0.3.1
- nixpkgs-unstable 0.0.3.1
- nixos-unstable-small 0.0.3.1
nixos-25.11 0.0.3.1
- nixos-25.11-small 0.0.3.1
- nixpkgs-25.11-darwin 0.0.3.1

pkgs.gojq

Pure Go implementation of jq

nixos-unstable 0.12.19
- nixpkgs-unstable 0.12.19
- nixos-unstable-small 0.12.19
nixos-25.11 0.12.17
- nixos-25.11-small 0.12.17
- nixpkgs-25.11-darwin 0.12.17

pkgs.jqfmt

Like gofmt, but for jq

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0-unstable-2025-07-28
- nixos-25.11-small 0-unstable-2025-07-28
- nixpkgs-25.11-darwin 0-unstable-2025-07-28

pkgs.jq-lsp

jq language server

nixos-unstable 0.1.17
- nixpkgs-unstable 0.1.17
- nixos-unstable-small 0.1.17
nixos-25.11 0.1.15
- nixos-25.11-small 0.1.15
- nixpkgs-25.11-darwin 0.1.15

pkgs.jquake

Real-time earthquake map of Japan

nixos-unstable 1.8.5
- nixpkgs-unstable 1.8.5
- nixos-unstable-small 1.8.5
nixos-25.11 1.8.5
- nixos-25.11-small 1.8.5
- nixpkgs-25.11-darwin 1.8.5

pkgs.jq-zsh-plugin

Interactively build jq expressions in Zsh

nixos-unstable 0.6.1
- nixpkgs-unstable 0.6.1
- nixos-unstable-small 0.6.1
nixos-25.11 0.6.1
- nixos-25.11-small 0.6.1
- nixpkgs-25.11-darwin 0.6.1

pkgs.python312Packages.jq

Python bindings for jq, the flexible JSON processor

nixos-25.11 1.10.0
- nixos-25.11-small 1.10.0
- nixpkgs-25.11-darwin 1.10.0

pkgs.python313Packages.jq

Python bindings for jq, the flexible JSON processor

nixos-unstable 1.11.0
- nixpkgs-unstable 1.11.0
- nixos-unstable-small 1.11.0
nixos-25.11 1.10.0
- nixos-25.11-small 1.10.0
- nixpkgs-25.11-darwin 1.10.0

pkgs.python314Packages.jq

Python bindings for jq, the flexible JSON processor

nixos-unstable 1.11.0
- nixpkgs-unstable 1.11.0
- nixos-unstable-small 1.11.0

pkgs.python312Packages.llm-jq

Write and execute jq programs with the help of LLM

nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.python313Packages.llm-jq

Write and execute jq programs with the help of LLM

nixos-unstable 0.1.1
- nixpkgs-unstable 0.1.1
- nixos-unstable-small 0.1.1
nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.python314Packages.llm-jq

Write and execute jq programs with the help of LLM

nixos-unstable 0.1.1
- nixpkgs-unstable 0.1.1
- nixos-unstable-small 0.1.1

pkgs.haskellPackages.js-jquery

Obtain minified jQuery code

nixos-unstable 3.7.1
- nixpkgs-unstable 3.7.1
- nixos-unstable-small 3.7.1
nixos-25.11 3.7.1
- nixos-25.11-small 3.7.1
- nixpkgs-25.11-darwin 3.7.1

pkgs.tests.fetchpatch.relative

None

nixos-25.11 jqyhgd25h6w8
- nixos-25.11-small jqyhgd25h6w8
- nixpkgs-25.11-darwin jqyhgd25h6w8

pkgs.python312Packages.xstatic-jquery

jquery packaged static files for python

nixos-25.11 3.5.1.1
- nixos-25.11-small 3.5.1.1
- nixpkgs-25.11-darwin 3.5.1.1

pkgs.python313Packages.xstatic-jquery

jquery packaged static files for python

nixos-unstable 3.5.1.1
- nixpkgs-unstable 3.5.1.1
- nixos-unstable-small 3.5.1.1
nixos-25.11 3.5.1.1
- nixos-25.11-small 3.5.1.1
- nixpkgs-25.11-darwin 3.5.1.1

pkgs.python314Packages.xstatic-jquery

jquery packaged static files for python

nixos-unstable 3.5.1.1
- nixpkgs-unstable 3.5.1.1
- nixos-unstable-small 3.5.1.1

pkgs.python312Packages.django-jquery-js

jQuery, bundled up so apps can depend upon it

nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.python313Packages.django-jquery-js

jQuery, bundled up so apps can depend upon it

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1
nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.python314Packages.django-jquery-js

jQuery, bundled up so apps can depend upon it

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1

pkgs.python312Packages.xstatic-jquery-ui

jquery-ui packaged static files for python

nixos-25.11 1.13.0.1
- nixos-25.11-small 1.13.0.1
- nixpkgs-25.11-darwin 1.13.0.1

pkgs.python313Packages.xstatic-jquery-ui

jquery-ui packaged static files for python

nixos-unstable 1.13.0.1
- nixpkgs-unstable 1.13.0.1
- nixos-unstable-small 1.13.0.1
nixos-25.11 1.13.0.1
- nixos-25.11-small 1.13.0.1
- nixpkgs-25.11-darwin 1.13.0.1

pkgs.python314Packages.xstatic-jquery-ui

jquery-ui packaged static files for python

nixos-unstable 1.13.0.1
- nixpkgs-unstable 1.13.0.1
- nixos-unstable-small 1.13.0.1

pkgs.tree-sitter-grammars.tree-sitter-jq

Tree-sitter grammar for jq

nixos-unstable 0-unstable-2025-05-10
- nixpkgs-unstable 0-unstable-2025-05-10
- nixos-unstable-small 0-unstable-2025-05-10

pkgs.tests.fetchNextcloudApp.simple-sha512

None

nixos-25.11 s3jq31j8ddpg
- nixos-25.11-small s3jq31j8ddpg
- nixpkgs-25.11-darwin s3jq31j8ddpg

pkgs.vimPlugins.nvim-treesitter-parsers.jq

None

nixos-unstable 0.0.0+rev=c204e36
- nixpkgs-unstable 0.0.0+rev=c204e36
- nixos-unstable-small 0.0.0+rev=c204e36
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.python312Packages.sphinxcontrib-jquery

Extension to include jQuery on newer Sphinx releases

nixos-25.11 4.1
- nixos-25.11-small 4.1
- nixpkgs-25.11-darwin 4.1

pkgs.python313Packages.sphinxcontrib-jquery

Extension to include jQuery on newer Sphinx releases

nixos-unstable 4.1
- nixpkgs-unstable 4.1
- nixos-unstable-small 4.1
nixos-25.11 4.1
- nixos-25.11-small 4.1
- nixpkgs-25.11-darwin 4.1

pkgs.python314Packages.sphinxcontrib-jquery

Extension to include jQuery on newer Sphinx releases

nixos-unstable 4.1
- nixpkgs-unstable 4.1
- nixos-unstable-small 4.1

pkgs.tests.fetchFromGitHub.submodule-leave-git

None

nixos-unstable cjqxpb9q4nw2
- nixpkgs-unstable cjqxpb9q4nw2
- nixos-unstable-small cjqxpb9q4nw2

pkgs.python312Packages.xstatic-jquery-file-upload

jquery-file-upload packaged static files for python

nixos-25.11 10.31.0.1
- nixos-25.11-small 10.31.0.1
- nixpkgs-25.11-darwin 10.31.0.1

pkgs.python313Packages.xstatic-jquery-file-upload

jquery-file-upload packaged static files for python

nixos-unstable 10.31.0.1
- nixpkgs-unstable 10.31.0.1
- nixos-unstable-small 10.31.0.1
nixos-25.11 10.31.0.1
- nixos-25.11-small 10.31.0.1
- nixpkgs-25.11-darwin 10.31.0.1

pkgs.python314Packages.xstatic-jquery-file-upload

jquery-file-upload packaged static files for python

nixos-unstable 10.31.0.1
- nixpkgs-unstable 10.31.0.1
- nixos-unstable-small 10.31.0.1

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-jq

Python bindings for tree-sitter-jq

nixos-unstable 0+unstable20250510
- nixpkgs-unstable 0+unstable20250510
- nixos-unstable-small 0+unstable20250510

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-jq

Python bindings for tree-sitter-jq

nixos-unstable 0+unstable20250510
- nixpkgs-unstable 0+unstable20250510
- nixos-unstable-small 0+unstable20250510

Package maintainers

@xiaoxiangmoe ZHAO JinXiang <xiaoxiangmoe@gmail.com>
@justinas Justinas Stankevičius <justinas@justinas.org>
@mattpolzin Matt Polzin <matt.polzin@gmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@Artturin Artturi N <artturin@artturin.com>
@ncfavier Naïm Favier <n@monade.li>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@sysedwinistrator Edwin Mackenzie-Owen <edwin.mowen@gmail.com>
@vinnymeller Vinny Meller <vinnymeller@proton.me>
@heisfer Heisfer <heisfer@refract.dev>
@akshgpt7 Aksh Gupta <akshgpt7@gmail.com>
@dit7ya Mostly Void <7rat13@gmail.com>
@nessdoor Tomas Antonio Lopez <entropy.overseer@protonmail.com>
@powwu powwu <hello@powwu.sh>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@benley Benjamin Staffin <benley@gmail.com>
@josh Joshua Peek <josh@joshpeek.com>
@philiptaron Philip Taron <philip.taron@gmail.com>
@Erethon Dionysis Grigoropoulos <dgrig@erethon.com>
@KAction Dmitry Bogatov <KAction@disroot.org>
@makefu Felix Richter <makefu@syntax-fehler.de>
@stepbrobd Yifei Sun <ysun@hey.com>
@A-jay98 Ali Jamadi <ali@jamadi.me>
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
@adfaure Adrien Faure <adfaure@pm.me>
@aciceri Andrea Ciceri <andrea.ciceri@autistici.org>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.jq

pkgs.ijq

pkgs.jql

pkgs.jqp

pkgs.njq

pkgs.gojq

pkgs.jqfmt

pkgs.jq-lsp

pkgs.jquake

pkgs.jq-zsh-plugin

pkgs.python312Packages.jq

pkgs.python313Packages.jq

pkgs.python314Packages.jq

pkgs.python312Packages.llm-jq

pkgs.python313Packages.llm-jq

pkgs.python314Packages.llm-jq

pkgs.haskellPackages.js-jquery

pkgs.tests.fetchpatch.relative

pkgs.python312Packages.xstatic-jquery

pkgs.python313Packages.xstatic-jquery

pkgs.python314Packages.xstatic-jquery

pkgs.python312Packages.django-jquery-js

pkgs.python313Packages.django-jquery-js

pkgs.python314Packages.django-jquery-js

pkgs.python312Packages.xstatic-jquery-ui

pkgs.python313Packages.xstatic-jquery-ui

pkgs.python314Packages.xstatic-jquery-ui

pkgs.tree-sitter-grammars.tree-sitter-jq

pkgs.tests.fetchNextcloudApp.simple-sha512

pkgs.vimPlugins.nvim-treesitter-parsers.jq

pkgs.python312Packages.sphinxcontrib-jquery

pkgs.python313Packages.sphinxcontrib-jquery

pkgs.python314Packages.sphinxcontrib-jquery

pkgs.tests.fetchFromGitHub.submodule-leave-git

pkgs.python312Packages.xstatic-jquery-file-upload

pkgs.python313Packages.xstatic-jquery-file-upload

pkgs.python314Packages.xstatic-jquery-file-upload

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-jq

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-jq

Package maintainers