The jq JSON processor used a weak hash implementation (MurmurHash3 with a fixed seed) for JSON object hash tables, enabling attackers to precompute key collisions offline. By submitting a crafted JSON object (~100 KB) with colliding keys, attackers can cause hash table lookups to degrade from constant time to linear time, causing jq expressions to run in quadratic time and exhaust CPU resources. This vulnerability impacts jq versions before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 and has been fixed in that commit.

Exploitation leads to significant CPU exhaustion due to degraded hash table performance, impacting availability and performance of jq in automated pipelines, web services, and data processing. There is no confidentiality or integrity impact reported. The CVSS score is 7.5 (high severity) reflecting network attack vector, low complexity, no privileges required, no user interaction, and impact on availability only.

A fix is available and has been applied in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. Users should upgrade jq to this commit or later to remediate the vulnerability. No other mitigation is indicated or required.