CVE-2024-53427 - decNumberCopy Stack-based Buffer Overflow in jq 1.7.1 when Dealing with NaN Values

We're here to talk about a critical vulnerability identified as CVE-2024-53427. This vulnerability affects "jq," a lightweight and flexible command-line JSON processor, through version 1.7.1. The vulnerability exists in the decNumberCopy function within the decNumber.c file, leading to a stack-based buffer overflow and out-of-bounds write. This vulnerability may lead to the execution of malicious code inserted by an attacker.

Description

The vulnerable function decNumberCopy in decNumber.c does not properly consider the interpretation of NaN (Not a Number) as numeric. As a result, when the input contains a specific form of a digit string with NaN (e.g., "1 NaN123") followed by many more digits and then passed through a filter using subtraction with jq's --slurp option, a stack-based buffer overflow and out-of-bounds write may occur.

Here's an example showcasing this vulnerability. The input JSON file contains the following value

"1 NaN12345678901234567890123456789012345678901234567890123456789012345678901234567890"

Processing this input with the command

$ jq --slurp ' . - . ' input.json

The filter used here is the subtraction operation (i.e., '.', '.'), leading to the stack-based buffer overflow as mentioned earlier.

You can find the original reference for the problem in the "jq" GitHub repository at the following link: GitHub Issue

This particular vulnerability can have severe consequences since stack-based buffer overflows are dangerous and could potentially lead to arbitrary code execution or other negative impacts on the system where "jq" is installed.

Mitigation

As of now, there's no official patch released to fix this vulnerability. However, users are recommended to be cautious when dealing with untrusted JSON data and keep monitoring the "jq" project for information on updates and fixes.

Possible Workaround

One possible workaround could involve sanitizing input JSON data before processing it with "jq." In this case, you can filter out any NaN values embedded in digit strings before processing it further.

Conclusion

CVE-2024-53427 is a critical vulnerability affecting jq through version 1.7.1. The vulnerability resides in the decNumberCopy function in decNumber.c, where NaN values are not correctly handled, leading to a stack-based buffer overflow and an out-of-bounds write. Be cautious when using "jq" with untrusted JSON data until an official patch or update is released to address the vulnerability.

Timeline

Published on: 02/26/2025 16:15:16 UTC
Last modified on: 03/28/2025 17:15:27 UTC