QwikSec

Security Database

CVE

CWE

Training

CVE-2024-53427

Published: Feb 26, 2025

Modified: Mar 28, 2025

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits).

Vendor	Product	Versions
jqlang	jq	affected `0 - <= 1.7.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/jqlang/jq/issues/3196

https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92

https://github.com/jqlang/jq/blob/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297/src/decNumber/decNumber.c#L3375

https://github.com/jqlang/jq/security/advisories/GHSA-x6c3-qv5r-7q22

https://github.com/jqlang/jq/issues/3296

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.