CVE-2024-53427 Overview
CVE-2024-53427 is a stack-based buffer overflow and out-of-bounds write vulnerability in decNumberCopy within decNumber.c of the jq command-line JSON processor through version 1.7.1. The flaw stems from the function failing to properly handle inputs where NaN is interpreted as numeric. An attacker can trigger the condition by supplying a specially crafted digit string containing NaN followed by many additional digits, for example "1 NaN123" with a trailing digit sequence. Exploitation is demonstrated using --slurp combined with a subtraction filter such as .-.. The vulnerability is tracked under [CWE-843] (Access of Resource Using Incompatible Type - Type Confusion).
Critical Impact
Processing untrusted JSON with jq can result in memory corruption, denial of service, and potential arbitrary code execution within the jq process context.
Affected Products
- jqlang jq through 1.7.1
- Applications and pipelines embedding vulnerable jq builds
- Automation scripts invoking jq on attacker-controlled JSON
Discovery Timeline
- 2025-02-26 - CVE-2024-53427 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-53427
Vulnerability Analysis
jq relies on the decNumber library to represent arbitrary-precision decimal numbers. The decNumberCopy routine in decNumber.c copies a decimal representation between structures but assumes the source contains a well-formed numeric coefficient. When jq parses a token beginning with digits and containing NaN followed by additional digits, the parser treats the value as numeric while the coefficient length exceeds the fixed stack buffer size used by the copy operation. The mismatch produces a stack-based buffer overflow and an out-of-bounds write.
Root Cause
The root cause is a type-confusion condition [CWE-843]. decNumberCopy does not validate that the input classified as numeric conforms to the size constraints expected for standard decimals. Special values such as NaN with attached digit payloads bypass the length assumptions, and the resulting write extends past the destination buffer on the stack.
Attack Vector
An attacker supplies JSON input that jq is asked to process with numeric operations. The proof-of-concept uses jq --slurp '.-.' on input containing a crafted NaN payload such as "1 NaN123" followed by a long digit run. Exploitation requires local delivery of the crafted input to a jq invocation, which commonly occurs in shell pipelines, CI/CD systems, and log-processing tools that pass untrusted content to jq.
See the GitHub Security Advisory GHSA-x6c3-qv5r-7q22, GitHub Issue #3196, GitHub Issue #3296, and the decNumber.c source reference for technical details. A public proof of concept is available in a GitHub Gist.
// No verified exploit code reproduced here. Refer to the linked advisory and PoC gist.
Detection Methods for CVE-2024-53427
Indicators of Compromise
- Unexpected crashes or segmentation faults in jq processes when parsing JSON input.
- Presence of tokens combining digits with NaN followed by long digit runs in JSON files processed by jq.
- Core dumps referencing decNumberCopy or nearby frames in decNumber.c.
Detection Strategies
- Inventory installed jq binaries and compare against version 1.7.1 or earlier using package managers or jq --version.
- Scan build manifests, container images, and dependency lockfiles for vulnerable jq versions.
- Alert on abnormal termination of jq processes in log-processing, CI/CD, and data-pipeline workloads.
Monitoring Recommendations
- Log the command-line arguments and exit codes of jq invocations in production pipelines.
- Capture and review crash dumps to identify overflow signatures in decNumberCopy.
- Monitor jq consumption of untrusted external JSON, particularly with --slurp and arithmetic filters.
How to Mitigate CVE-2024-53427
Immediate Actions Required
- Identify all systems running jq 1.7.1 or earlier and prioritize updates on hosts that process untrusted JSON.
- Restrict jq usage in scripts to trusted input sources until patched builds are deployed.
- Review CI/CD, log-processing, and automation workflows that pipe external data into jq.
Patch Information
Refer to the jq security advisory GHSA-x6c3-qv5r-7q22 and the tracking issues #3196 and #3296 for fix status and upstream commits. Upgrade to a jq build that incorporates the decNumberCopy validation fix once released by the jqlang project, or apply the vendor-provided distribution patches.
Workarounds
- Pre-validate JSON inputs and reject values that contain NaN tokens followed by digit sequences before passing them to jq.
- Sandbox jq execution using containers, seccomp, or unprivileged users to contain memory corruption impact.
- Avoid using --slurp with arithmetic filters such as .-. on untrusted input until the host is patched.
# Reject inputs containing NaN-prefixed numeric tokens before invoking jq
if grep -Eq '[0-9]+[[:space:]]*NaN[0-9]+' "$INPUT"; then
echo "Rejected: potential CVE-2024-53427 payload" >&2
exit 1
fi
jq --slurp '.-.' "$INPUT"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

