Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-53427

CVE-2024-53427: Jqlang Jq Buffer Overflow Vulnerability

CVE-2024-53427 is a stack-based buffer overflow flaw in Jqlang Jq through version 1.7.1 caused by improper NaN handling in decNumberCopy. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2024-53427 Overview

CVE-2024-53427 is a stack-based buffer overflow and out-of-bounds write vulnerability in decNumberCopy within decNumber.c of the jq command-line JSON processor through version 1.7.1. The flaw stems from the function failing to properly handle inputs where NaN is interpreted as numeric. An attacker can trigger the condition by supplying a specially crafted digit string containing NaN followed by many additional digits, for example "1 NaN123" with a trailing digit sequence. Exploitation is demonstrated using --slurp combined with a subtraction filter such as .-.. The vulnerability is tracked under [CWE-843] (Access of Resource Using Incompatible Type - Type Confusion).

Critical Impact

Processing untrusted JSON with jq can result in memory corruption, denial of service, and potential arbitrary code execution within the jq process context.

Affected Products

  • jqlang jq through 1.7.1
  • Applications and pipelines embedding vulnerable jq builds
  • Automation scripts invoking jq on attacker-controlled JSON

Discovery Timeline

  • 2025-02-26 - CVE-2024-53427 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-53427

Vulnerability Analysis

jq relies on the decNumber library to represent arbitrary-precision decimal numbers. The decNumberCopy routine in decNumber.c copies a decimal representation between structures but assumes the source contains a well-formed numeric coefficient. When jq parses a token beginning with digits and containing NaN followed by additional digits, the parser treats the value as numeric while the coefficient length exceeds the fixed stack buffer size used by the copy operation. The mismatch produces a stack-based buffer overflow and an out-of-bounds write.

Root Cause

The root cause is a type-confusion condition [CWE-843]. decNumberCopy does not validate that the input classified as numeric conforms to the size constraints expected for standard decimals. Special values such as NaN with attached digit payloads bypass the length assumptions, and the resulting write extends past the destination buffer on the stack.

Attack Vector

An attacker supplies JSON input that jq is asked to process with numeric operations. The proof-of-concept uses jq --slurp '.-.' on input containing a crafted NaN payload such as "1 NaN123" followed by a long digit run. Exploitation requires local delivery of the crafted input to a jq invocation, which commonly occurs in shell pipelines, CI/CD systems, and log-processing tools that pass untrusted content to jq.

See the GitHub Security Advisory GHSA-x6c3-qv5r-7q22, GitHub Issue #3196, GitHub Issue #3296, and the decNumber.c source reference for technical details. A public proof of concept is available in a GitHub Gist.

// No verified exploit code reproduced here. Refer to the linked advisory and PoC gist.

Detection Methods for CVE-2024-53427

Indicators of Compromise

  • Unexpected crashes or segmentation faults in jq processes when parsing JSON input.
  • Presence of tokens combining digits with NaN followed by long digit runs in JSON files processed by jq.
  • Core dumps referencing decNumberCopy or nearby frames in decNumber.c.

Detection Strategies

  • Inventory installed jq binaries and compare against version 1.7.1 or earlier using package managers or jq --version.
  • Scan build manifests, container images, and dependency lockfiles for vulnerable jq versions.
  • Alert on abnormal termination of jq processes in log-processing, CI/CD, and data-pipeline workloads.

Monitoring Recommendations

  • Log the command-line arguments and exit codes of jq invocations in production pipelines.
  • Capture and review crash dumps to identify overflow signatures in decNumberCopy.
  • Monitor jq consumption of untrusted external JSON, particularly with --slurp and arithmetic filters.

How to Mitigate CVE-2024-53427

Immediate Actions Required

  • Identify all systems running jq 1.7.1 or earlier and prioritize updates on hosts that process untrusted JSON.
  • Restrict jq usage in scripts to trusted input sources until patched builds are deployed.
  • Review CI/CD, log-processing, and automation workflows that pipe external data into jq.

Patch Information

Refer to the jq security advisory GHSA-x6c3-qv5r-7q22 and the tracking issues #3196 and #3296 for fix status and upstream commits. Upgrade to a jq build that incorporates the decNumberCopy validation fix once released by the jqlang project, or apply the vendor-provided distribution patches.

Workarounds

  • Pre-validate JSON inputs and reject values that contain NaN tokens followed by digit sequences before passing them to jq.
  • Sandbox jq execution using containers, seccomp, or unprivileged users to contain memory corruption impact.
  • Avoid using --slurp with arithmetic filters such as .-. on untrusted input until the host is patched.
bash
# Reject inputs containing NaN-prefixed numeric tokens before invoking jq
if grep -Eq '[0-9]+[[:space:]]*NaN[0-9]+' "$INPUT"; then
  echo "Rejected: potential CVE-2024-53427 payload" >&2
  exit 1
fi
jq --slurp '.-.' "$INPUT"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.