CVE-2024-23337 — Integer Overflow or Wraparound in JQ

CWE-190 — Integer Overflow or Wraparound10 documents7 sources

Severity

6.5MEDIUMNVD

CNA4.3

EPSS

0.3%

top 50.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jqlang JQ

Timeline

PublishedMay 21

Latest updateJul 22

Description

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Debianjqlang/jq< 1.7.1-6+1

▶Ubuntujqlang/jq< 1.6-2.1ubuntu3.1+4

▶CVEListV5jqlang/jq1.7.1

▶NVDjqlang/jq1.7.1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

jq vulnerabilities↗2025-07-22

▶

OSV

jq vulnerabilities↗2025-07-21

▶

OSV

CVE-2024-23337: jq is a command-line JSON processor↗2025-05-21

▶

CVEList

jq has signed integer overflow in jv.c:jvp_array_write↗2025-05-21

▶

📋Vendor Advisories

Ubuntu

jq vulnerabilities↗2025-07-22

▶

Ubuntu

jq vulnerabilities↗2025-07-21

▶

Red Hat

jq: jq has signed integer overflow in jv.c:jvp_array_write↗2025-05-21

▶

Microsoft

jq has signed integer overflow in jv.c:jvp_array_write↗2025-05-13

▶

Debian

CVE-2024-23337: jq - jq is a command-line JSON processor. In versions up to and including 1.7.1, an i...↗2024

▶