CVE-2024-53427

High CVSS: 8.1

decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits).

Vendor

Jqlang

Product

CWE

CWE-843

Yayın Tarihi

2025-02-26 16:15:16

Güncelleme

2025-07-01 21:25:24

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-843 Jq HIGH Jqlang 2025

Referanslar

https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92 https://github.com/jqlang/jq/blob/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297/src/decNumber/decNumber.c#L3375 https://github.com/jqlang/jq/issues/3196 https://github.com/jqlang/jq/issues/3296 https://github.com/jqlang/jq/security/advisories/GHSA-x6c3-qv5r-7q22

Benzer Kayıtlar

Medium

CVE-2025-9403

A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of th…

High

CVE-2025-48060

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in functio…

Medium

CVE-2024-23337

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning va…