cbcvebase.
CVE-2024-53427
published 2025-02-26

CVE-2024-53427: decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer…

PriorityP347high8.1CVSS 3.1
AVLACHPRNUINSCCHIHAH
EPSS
0.35%
27.1th percentile
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits).

Affected

7 ranges
VendorProductVersion rangeFixed in
debianjq< jq 1.7.1-5 (forky)jq 1.7.1-5 (forky)
jqlangjq<= 1.7.1
jqlangjq>= 0 < 1.7.1-51.7.1-5
jqlangjq>= 0 < 1.7.1-51.7.1-5
jqlangjq>= 0 < 1.6-2.1ubuntu3.11.6-2.1ubuntu3.1
jqlangjq>= 0 < 1.7.1-3ubuntu0.24.04.11.7.1-3ubuntu0.24.04.1
msrcazl3_jq_1.7.1-2_on_azure_linux_3.0

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
osv8.1HIGH
vendor_debian8.1LOW
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.