jq: CVE-2024-53427 & CVE-2025-48060

[h0nIg]

Nixpkgs version

• Stable (25.05)

Describe the bug

CVE-2024-53427 (8.1 score) and CVE-2025-48060 (7.7 score) should get patched, as the maintainer does not plan to provide a near-future release: jqlang/jq#3315

https://nvd.nist.gov/vuln/detail/CVE-2024-53427
https://nvd.nist.gov/vuln/detail/CVE-2025-48060

Steps to reproduce

see

Expected behaviour

patched

Screenshots

No response

Relevant log output

Additional context

No response

System metadata

25.05

Notify maintainers

@raskin
@Artturin
@ncfavier

---

Note for maintainers: Please tag this issue in your pull request description. (i.e. Resolves #ISSUE.)

I assert that this issue is relevant for Nixpkgs

• I assert that this is a bug and not a support request.
• I assert that this is not a duplicate of an existing issue.
• I assert that I have read the NixOS Code of Conduct and agree to abide by it.

Is this issue important to you?

Add a 👍 reaction to issues you find important.

[kuflierl]

I see, this does seem to be an issue...
The following commits would need to be backported:
CVE-2025-48060 (7.7): TBA (No official patch for this)
CVE-2024-53427 (8.1): jqlang/jq@a09a4df
CVE-2024-23337 (4.1): jqlang/jq@de21386 (Unsure about this one, doesn't seem to be that critical)

[LordGrimmauld]

We discussed this particular issue on matrix a bit.
With jq upstream releasing quite slowly, one possible suggestion might be to not just cherry-pick the security fixes, but instead run a -unstable version and use unstableGitUpdater.

It was also suggested to try and migrate jq usage to more maintained tools in less unsafe languages, such as the yq-go tool. While none of those replacements are fully drop-in for jq, migrating for internal tooling such as update scripts might be possible.

However, jq is part of the bootstrap chain on darwin, which makes any change to its derivation quite expensive.

[kuflierl]

We discussed this particular issue on matrix a bit. With jq upstream releasing quite slowly, one possible suggestion might be to not just cherry-pick the security fixes, but instead run a -unstable version and use unstableGitUpdater.

While this might be the best solution for the unstable branch, though i am not quite sure for the stable branches (24.11, 25.05). When i last looked there was a difference of at least 149 commits. Since the next release is 1.8 we may expect breaking changes.

It was also suggested to try and migrate jq usage to more maintained tools in less unsafe languages, such as the yq-go tool. While none of those replacements are fully drop-in for jq, migrating for internal tooling such as update scripts might be possible.

I might agree with this. There seem to be 2 rewrites that are currently plausible https://github.com/itchyny/gojq, https://github.com/01mf02/jaq. Both seem to be of similar maturity. (Maybe a not that correct. The go rewrite seems to be much older ~6 years, though seems to receive less attention on a per year basis than the rust rewrite ~3 years. This might just be due to the rust rewrite craze but both projects would need to be evaluated closer.)
We might want to start with the parts of the infra that wouldn't trigger a catastrophic mass-rebuild

However, jq is part of the bootstrap chain on darwin, which makes any change to its derivation quite expensive.

Yes, but since we are dealing with multiple high severity vulns, we might just have to bite the bullet.

[h0nIg]

i dont think it is necessary to replace jq completely, however it makes sense to apply the patches (once available) and backport them as well.

just moving to another tool is not the way to go IMHO and comes with other issues, for example: what will happen once the other tools get unmaintained as they are supported by 1-2 persons? issues will get fixed, its just about that they don't want to release right now (which i dont understand). There are so many examples where people do curl mysite.com/json | jq ....

GHSA-8mxc-vqrq-gcm8 / Feb 26
jqlang/jq@a09a4df / Mar 4

[LordGrimmauld]

While this might be the best solution for the unstable branch, though i am not quite sure for the stable branches (24.11, 25.05). When i last looked there was a difference of at least 149 commits. Since the next release is 1.8 we may expect breaking changes.

We can backport breaking changes if they are security-relevant. That isn't the issue here.

[kuflierl]

i dont think it is necessary to replace jq completely, however it makes sense to apply the patches (once available) and backport them as well.

That wasn't really what was discussed, this is more about replacing it in the tooling for internal infra and build tooling in nixos.
Backports will need to happen regardless due to its popularity.

just moving to another tool is not the way to go IMHO and comes with other issues, for example: what will happen once the other tools get unmaintained as they are supported by 1-2 persons? issues will get fixed, its just about that they don't want to release right now (which i dont understand). There are so many examples where people do curl mysite.com/json | jq ....

Fair, but it's not really just about the maintainership. Due to the project being written in c, it's practically given that vulnerabilities abusing memory mismanagement will crop up. That's why the project would technically need a pretty active maintainer base and rapid patch version itteration to stay secure. They aren't even considering releasing a patch version.

On the other hand, languages like go and rust are considered memory safe. That tends to make memory mismanagement almost impossible in an exploitable way. That also means that most vuls simply don't happen. So we can assume that such rewrites are categorically safer as long as they have reached a certain maturity. That also means that the maintenance burden would be reduced regarding vulnerabilities.

As much as I love c, I would consider it suboptimal for the use case of jq. Especially because it is used to parse potentially malicious attacker controlled data.

This is a change that needs to happen some day, we are simply accelerating it a bit.

GHSA-8mxc-vqrq-gcm8 / Feb 26 jqlang/jq@a09a4df / Mar 4

[kuflierl]

Looks good now... #412367 and #412590