Integer Overflow Vulnerability in jq Command-Line JSON Processor
CVE-2024-23337

6.5MEDIUM

Key Information:

Vendor

Jqlang

Status
Jq
Vendor
CVE Published:
21 May 2025

What is CVE-2024-23337?

The jq JSON processor is affected by an integer overflow vulnerability in versions up to and including 1.7.1. This occurs when value assignments are made using an index at the signed integer maximum of 2147483647, leading to potential denial of service. A patch has been provided in commit de21386681c0df0104a99d9d09db23a9b2a78b1e to mitigate this issue, enhancing the security and reliability of the jq tool.

Affected Version(s)

jq <= 1.7.1

References

https://github.com/jqlang/jq/security/advisories/GHSA-2q6...
x_refsource_CONFIRM
https://github.com/jqlang/jq/issues/3262
x_refsource_MISC
https://github.com/jqlang/jq/commit/de21386681c0df0104a99...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2024-23337 : Integer Overflow Vulnerability in jq Command-Line JSON Processor