Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1515

NIXPKGS-2026-1515
published 1 month, 2 weeks ago
Permalink CVE-2026-43895
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    35 packages
    • ijq
    • jql
    • jqp
    • njq
    • gojq
    • jqfmt
    • jq-lsp
    • jquake
    • jq-zsh-plugin
    • python312Packages.jq
    • python313Packages.jq
    • python314Packages.jq
    • python312Packages.llm-jq
    • python313Packages.llm-jq
    • python314Packages.llm-jq
    • haskellPackages.js-jquery
    • python312Packages.xstatic-jquery
    • python313Packages.xstatic-jquery
    • python314Packages.xstatic-jquery
    • python312Packages.django-jquery-js
    • python313Packages.django-jquery-js
    • python314Packages.django-jquery-js
    • python312Packages.xstatic-jquery-ui
    • python313Packages.xstatic-jquery-ui
    • python314Packages.xstatic-jquery-ui
    • tree-sitter-grammars.tree-sitter-jq
    • vimPlugins.nvim-treesitter-parsers.jq
    • python312Packages.sphinxcontrib-jquery
    • python313Packages.sphinxcontrib-jquery
    • python314Packages.sphinxcontrib-jquery
    • python312Packages.xstatic-jquery-file-upload
    • python313Packages.xstatic-jquery-file-upload
    • python314Packages.xstatic-jquery-file-upload
    • python313Packages.tree-sitter-grammars.tree-sitter-jq
    • python314Packages.tree-sitter-grammars.tree-sitter-jq
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
jq: Embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.

Affected products

jq
  • ==<= 1.8.1

Matching in nixpkgs

pkgs.jq

Lightweight and flexible command-line JSON processor

Ignored packages (35)

pkgs.ijq

Interactive wrapper for jq

pkgs.jql

JSON Query Language CLI tool built with Rust

pkgs.jqp

TUI playground to experiment with jq

pkgs.njq

Command-line JSON processor using nix as query language

pkgs.jqfmt

Like gofmt, but for jq

pkgs.jquake

Real-time earthquake map of Japan

Package maintainers