What Was Disclosed
GitHub published advisory GHSA-xwrw-4f8h-rjvg on April 13, 2026 for jq, the command-line JSON processor. The advisory covers CVE-2026-33947, a moderate availability issue in versions up to and including 1.8.1.
The affected code is not the basic JSON parser. It is the path-handling logic behind jv_setpath(), jv_getpath(), and delpaths_sorted(). A sufficiently long path array can drive unbounded recursion, exhaust the C call stack, and crash the process.
Why This Goes Beyond Parsing
NVD describes the issue as a denial-of-service risk for applications or services that process untrusted JSON through jq path operations. The important detail is that jq already has a parser depth limit, but this bug lives in runtime path processing after parsing.
That distinction matters for JSON tooling. A payload can be syntactically valid, pass a parser's depth checks, and still become dangerous when a filter, diff, validation step, or transformation walks a user-controlled path. Resource limits need to cover the whole workflow, not only the first JSON.parse-style boundary.
Where JSON Pipelines Are Exposed
The GitHub advisory calls out scenarios such as web services, CI/CD pipelines, shell scripts, and embedded libjq users where a trusted jq expression consumes external input. In those environments, a crash can interrupt API ingestion, deployment checks, data normalization, or log processing.
The broader April 2026 jq advisory wave also included parser, validation, hashing, and embedding issues. Taken together, those disclosures are a reminder that JSON processors are program runtimes. They need the same limits, isolation, and update discipline as other code that handles attacker-influenced data.
Guidance for Developers
If jq is part of a production path, check the exact binary or library package in use and follow vendor or distribution fixes for CVE-2026-33947. The upstream commit adds a path-depth check that returns an error instead of recursing until stack exhaustion.
For tool authors, the lesson is to budget for hostile but valid JSON. Put size, depth, timeout, and worker/process isolation around parsing and every follow-on transform. Local browser tools avoid sending pasted payloads to an application server, but they still need careful limits so a single oversized payload does not freeze the user's tab.