The jq JSON processor versions up to 1.8.1 have a vulnerability (CWE-674) involving unbounded recursion in the functions jv_setpath(), jv_getpath(), and delpaths_sorted() located in src/jv_aux.c. These functions recursively process path arrays without enforcing a maximum recursion depth, allowing an attacker to supply a JSON document with a very large flat array (~65,000 integers) as a path argument. This causes the C call stack to overflow, crashing the jq process with a segmentation fault (SIGSEGV). The existing MAX_PARSING_DEPTH limit of 10,000 only protects the JSON parser stage, not these runtime path operations, enabling this denial of service. The vulnerability is addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.

Successful exploitation causes an unrecoverable crash of the jq process due to stack exhaustion, resulting in denial of service. There is no impact on confidentiality or integrity. Any application or service that uses vulnerable jq versions to process untrusted JSON input with the affected builtins is susceptible to this denial of service.

A fix is available in jq at commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f. Users should upgrade jq to a version including this commit or later to remediate this vulnerability. Patch status is not explicitly stated in vendor advisories here, so verify the vendor's official release notes for the fixed version. Until patched, avoid processing untrusted JSON input with the affected jq functions.