Nixpkgs security tracker
jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
References
-
https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p x_refsource_CONFIRM
Affected products
- ==< 2f09060afab23fe9390cce7cb860b10416e1bf5f
Matching in nixpkgs
pkgs.jq
Lightweight and flexible command-line JSON processor
pkgs.ijq
Interactive wrapper for jq
pkgs.jql
JSON Query Language CLI tool built with Rust
pkgs.jqp
TUI playground to experiment with jq
pkgs.njq
Command-line JSON processor using nix as query language
pkgs.gojq
Pure Go implementation of jq
pkgs.jqfmt
Like gofmt, but for jq
-
nixos-25.11 0-unstable-2025-07-28
- nixos-25.11-small 0-unstable-2025-07-28
- nixpkgs-25.11-darwin 0-unstable-2025-07-28
pkgs.jq-lsp
jq language server
pkgs.jquake
Real-time earthquake map of Japan
pkgs.jq-zsh-plugin
Interactively build jq expressions in Zsh
pkgs.python312Packages.jq
Python bindings for jq, the flexible JSON processor
pkgs.python313Packages.jq
Python bindings for jq, the flexible JSON processor
pkgs.python314Packages.jq
Python bindings for jq, the flexible JSON processor
pkgs.python312Packages.llm-jq
Write and execute jq programs with the help of LLM
pkgs.python313Packages.llm-jq
Write and execute jq programs with the help of LLM
pkgs.python314Packages.llm-jq
Write and execute jq programs with the help of LLM
pkgs.haskellPackages.js-jquery
Obtain minified jQuery code
pkgs.tests.fetchpatch.relative
None
-
nixos-25.11 jqyhgd25h6w8
- nixos-25.11-small jqyhgd25h6w8
- nixpkgs-25.11-darwin jqyhgd25h6w8
pkgs.python312Packages.xstatic-jquery
jquery packaged static files for python
pkgs.python313Packages.xstatic-jquery
jquery packaged static files for python
pkgs.python314Packages.xstatic-jquery
jquery packaged static files for python
pkgs.python312Packages.django-jquery-js
jQuery, bundled up so apps can depend upon it
pkgs.python313Packages.django-jquery-js
jQuery, bundled up so apps can depend upon it
pkgs.python314Packages.django-jquery-js
jQuery, bundled up so apps can depend upon it
pkgs.python312Packages.xstatic-jquery-ui
jquery-ui packaged static files for python
pkgs.python313Packages.xstatic-jquery-ui
jquery-ui packaged static files for python
pkgs.python314Packages.xstatic-jquery-ui
jquery-ui packaged static files for python
pkgs.tree-sitter-grammars.tree-sitter-jq
Tree-sitter grammar for jq
-
nixos-unstable 0-unstable-2025-05-10
- nixpkgs-unstable 0-unstable-2025-05-10
- nixos-unstable-small 0-unstable-2025-05-10
pkgs.tests.fetchNextcloudApp.simple-sha512
None
-
nixos-25.11 s3jq31j8ddpg
- nixos-25.11-small s3jq31j8ddpg
- nixpkgs-25.11-darwin s3jq31j8ddpg
pkgs.vimPlugins.nvim-treesitter-parsers.jq
None
-
nixos-unstable 0.0.0+rev=c204e36
- nixpkgs-unstable 0.0.0+rev=c204e36
- nixos-unstable-small 0.0.0+rev=c204e36
pkgs.python312Packages.sphinxcontrib-jquery
Extension to include jQuery on newer Sphinx releases
pkgs.python313Packages.sphinxcontrib-jquery
Extension to include jQuery on newer Sphinx releases
pkgs.python314Packages.sphinxcontrib-jquery
Extension to include jQuery on newer Sphinx releases
-
nixos-unstable cjqxpb9q4nw2
- nixpkgs-unstable cjqxpb9q4nw2
- nixos-unstable-small cjqxpb9q4nw2
pkgs.python312Packages.xstatic-jquery-file-upload
jquery-file-upload packaged static files for python
pkgs.python313Packages.xstatic-jquery-file-upload
jquery-file-upload packaged static files for python
pkgs.python314Packages.xstatic-jquery-file-upload
jquery-file-upload packaged static files for python
pkgs.python313Packages.tree-sitter-grammars.tree-sitter-jq
Python bindings for tree-sitter-jq
-
nixos-unstable 0+unstable20250510
- nixpkgs-unstable 0+unstable20250510
- nixos-unstable-small 0+unstable20250510
pkgs.python314Packages.tree-sitter-grammars.tree-sitter-jq
Python bindings for tree-sitter-jq
-
nixos-unstable 0+unstable20250510
- nixpkgs-unstable 0+unstable20250510
- nixos-unstable-small 0+unstable20250510
Package maintainers
-
@xiaoxiangmoe ZHAO JinXiang <xiaoxiangmoe@gmail.com>
-
@justinas Justinas Stankevičius <justinas@justinas.org>
-
@mattpolzin Matt Polzin <matt.polzin@gmail.com>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@Artturin Artturi N <artturin@artturin.com>
-
@ncfavier Naïm Favier <n@monade.li>
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@06kellyjac Jack <hello+nixpkgs@j-k.io>
-
@sysedwinistrator Edwin Mackenzie-Owen <edwin.mowen@gmail.com>
-
@vinnymeller Vinny Meller <vinnymeller@proton.me>
-
@heisfer Heisfer <heisfer@refract.dev>
-
@akshgpt7 Aksh Gupta <akshgpt7@gmail.com>
-
@dit7ya Mostly Void <7rat13@gmail.com>
-
@nessdoor Tomas Antonio Lopez <entropy.overseer@protonmail.com>
-
@powwu powwu <hello@powwu.sh>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@benley Benjamin Staffin <benley@gmail.com>
-
@josh Joshua Peek <josh@joshpeek.com>
-
@philiptaron Philip Taron <philip.taron@gmail.com>
-
@Erethon Dionysis Grigoropoulos <dgrig@erethon.com>
-
@KAction Dmitry Bogatov <KAction@disroot.org>
-
@makefu Felix Richter <makefu@syntax-fehler.de>
-
@stepbrobd Yifei Sun <ysun@hey.com>
-
@A-jay98 Ali Jamadi <ali@jamadi.me>
-
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
-
@adfaure Adrien Faure <adfaure@pm.me>
-
@aciceri Andrea Ciceri <andrea.ciceri@autistici.org>