CVE-2024-53427 – A stack-based buffer overflow vulnerability in ... (How to Fix)

📋 TL;DR

A stack-based buffer overflow vulnerability in jq's decNumberCopy function allows out-of-bounds writes when processing specially crafted JSON input containing NaN values. This can lead to arbitrary code execution or application crashes. All users of jq versions through 1.7.1 are affected.

💻 Affected Systems

Products:

jq

Versions: All versions through 1.7.1

Operating Systems: All platforms running jq

Default Config Vulnerable: ✅ No

Notes: Requires processing JSON with specific NaN patterns using --slurp with subtraction operations.

📦 What is this software?

Jq by Jqlang

View all CVEs affecting Jq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service and potential data corruption.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing in place.

🌐 Internet-Facing: MEDIUM - Requires specific input processing with --slurp flag and subtraction operations.

🏢 Internal Only: MEDIUM - Same technical risk but limited to internal systems processing untrusted JSON.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof of concept available in GitHub advisory. Requires specific input format and jq filter patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: jq 1.7.2 or later

Vendor Advisory: https://github.com/jqlang/jq/security/advisories/GHSA-x6c3-qv5r-7q22

Restart Required: No

Instructions:

1. Check current version: jq --version
2. Update via package manager: apt/yum/brew update jq
3. Or compile from source: git clone https://github.com/jqlang/jq.git && cd jq && autoreconf -fi && ./configure && make && sudo make install

🔧 Temporary Workarounds

Input validation filter

all

Filter out NaN values before processing with vulnerable operations

jq 'select(type != "number" or . == .)' input.json

Avoid --slurp with subtraction

all

Do not use --slurp flag with subtraction operations on untrusted input

🧯 If You Can't Patch

Implement strict input validation to reject JSON containing NaN values
Run jq in sandboxed/containerized environments with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Test with: echo '1 NaN12345678901234567890' | jq --slurp '.-.' 2>&1 | grep -i 'overflow\|segmentation\|crash'

Check Version:

jq --version | grep -E '^jq-1\.[0-6]\.[0-9]+$|^jq-1\.7\.[0-1]$'

Verify Fix Applied:

After update, same test should produce normal JSON output without crashes

📡 Detection & Monitoring

Log Indicators:

Segmentation fault logs
jq process crashes
Memory violation errors

Network Indicators:

Unusual JSON payloads containing NaN patterns
Repeated jq process restarts

SIEM Query:

process_name:"jq" AND (event_type:"crash" OR exit_code:139 OR exit_code:11)

📊 Metadata

CVE ID: CVE-2024-53427

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-843

EPSS Score: 0.02% exploit probability (3.8th percentile)

Published: February 26, 2025

Last Updated: July 1, 2025

🔗 References

https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92 Third Party Advisory
https://github.com/jqlang/jq/blob/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297/src/decNumber/decNumber.c#L3375 Product
https://github.com/jqlang/jq/issues/3196 Exploit,Issue Tracking,Vendor Advisory
https://github.com/jqlang/jq/issues/3296 Issue Tracking,Vendor Advisory
https://github.com/jqlang/jq/security/advisories/GHSA-x6c3-qv5r-7q22 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53427, you might also want to check these: