CVE-2023-49355 – This vulnerability in jq's decNumber library al... (How to Fix)

Q: What is the severity of CVE-2023-49355?

CVE-2023-49355 has a CVSS score of 7.5 (HIGH). This vulnerability in jq's decNumber library allows a one-byte out-of-bounds write when processing specially crafted numeric input strings. Attackers could potentially execute arbitrary code or cause denial of service. Anyone using vulnerable versions of jq to process untrusted input is affected.

📋 TL;DR

This vulnerability in jq's decNumber library allows a one-byte out-of-bounds write when processing specially crafted numeric input strings. Attackers could potentially execute arbitrary code or cause denial of service. Anyone using vulnerable versions of jq to process untrusted input is affected.

💻 Affected Systems

Products:

jq

Versions: Versions up to and including commit 88f01a7

Operating Systems: Linux, macOS, Windows, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using vulnerable jq versions are affected when processing numeric input.

📦 What is this software?

Jq by Jqlang

View all CVEs affecting Jq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if jq processes attacker-controlled input.

🟠

Likely Case

Application crash or denial of service when processing malicious input.

🟢

If Mitigated

Limited impact if jq only processes trusted input sources with proper input validation.

🌐 Internet-Facing: HIGH if jq processes user-supplied input from web interfaces or APIs.

🏢 Internal Only: MEDIUM if jq processes data from internal systems that could be compromised.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending specially crafted input like "[]-1.2e-1111111111" to jq. The vulnerability is well-documented with public proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 88f01a7

Vendor Advisory: https://github.com/jqlang/jq/security/advisories

Restart Required: No

Instructions:

1. Update jq to latest version using package manager. 2. For source installations: git clone latest jq repository, compile and install. 3. Verify installation with 'jq --version'.

🔧 Temporary Workarounds

Input Validation Filter

linux

Filter out problematic numeric patterns before passing to jq

sed -E 's/\[\]\-[0-9]+\.[0-9]+e\-[0-9]{10,}//g' input.json | jq .

Sandbox Execution

linux

Run jq in restricted environment with limited permissions

firejail --net=none --private jq . input.json

🧯 If You Can't Patch

Implement strict input validation to reject scientific notation with extremely large exponents
Run jq with memory protection mechanisms like ASLR and DEP enabled

🔍 How to Verify

Check if Vulnerable:

Test with vulnerable input: echo '[]-1.2e-1111111111' | jq . 2>&1 | grep -i 'overflow\|segmentation\|abort'

Check Version:

jq --version | head -1

Verify Fix Applied:

After update, test with same input and ensure normal error handling instead of crash

📡 Detection & Monitoring

Log Indicators:

Segmentation fault messages
Abnormal jq process termination
Memory corruption errors in system logs

Network Indicators:

Unusually large numeric strings in input data
Patterns matching scientific notation with large exponents

SIEM Query:

process_name:"jq" AND (event_type:"crash" OR error_message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2023-49355

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: December 11, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49355, you might also want to check these: