{"id":"CVE-2024-23337","summary":"jq has signed integer overflow in jv.c:jvp_array_write","details":"jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.","aliases":["GHSA-2q6r-344g-cx46"],"modified":"2026-04-12T05:53:17.038223Z","published":"2025-05-21T14:34:51.007Z","related":["ALSA-2025:10585","ALSA-2025:10618","SUSE-SU-2025:02384-1","SUSE-SU-2025:20506-1","SUSE-SU-2025:20591-1","openSUSE-SU-2025:15233-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23337.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-190"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23337.json"},{"type":"ADVISORY","url":"https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23337"},{"type":"REPORT","url":"https://github.com/jqlang/jq/issues/3262"},{"type":"FIX","url":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jqlang/jq","events":[{"introduced":"0"},{"fixed":"de21386681c0df0104a99d9d09db23a9b2a78b1e"}]}],"versions":["1.6rc2","jq-1.0","jq-1.1","jq-1.2","jq-1.3","jq-1.4","jq-1.5rc1","jq-1.5rc2","jq-1.6","jq-1.6rc1","jq-1.7","jq-1.7.1","jq-1.7rc1","jq-1.7rc2"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-04565637","digest":{"function_hash":"111137988609399857151046150794485037805","length":262},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jv_array_concat"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-286cf1dd","digest":{"function_hash":"237748935759897293101131115643374254823","length":510},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jv_object_merge_recursive"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-32865e5f","digest":{"function_hash":"163445554510748770352223293969963023000","length":376},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jv_string_explode"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-369ac283","digest":{"function_hash":"103305768167939608993029809850816110497","length":685},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jv_string_indexes"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-3771edc2","digest":{"function_hash":"262463111219578099524581004154513052700","length":212},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jv_object_merge"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-42ee90c2","digest":{"function_hash":"6706008070668189485097578795644585746","length":398},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jv_array_set"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-65984b07","digest":{"function_hash":"217152002507721013265383776974827853736","length":261},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jv_object_set"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-7044072c","digest":{"function_hash":"126652276985080967571016257588026388027","length":2571},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv_aux.c","function":"jv_set"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-9647e1d6","digest":{"function_hash":"196333530245603264201958299203480877545","length":906},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jv_string_split"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-96e418bb","digest":{"threshold":0.9,"line_hashes":["339014577188072507842688966493826679685","47022262820450162858937789375857704071","205780847297627229920827206980073036552","19153967694127281167714231754555334607","197736427002001478992732011065477572623","93161985359930611867717428547266678231","87468492980105111988078291989706226867","45289825194693337507435919170981760810","325844181656562266142464634897092782909","187709757395640284082794708025919103397","29862789084955351249824442219750045703","248841500202386045632931347802796219685","1815676247066957357343232946044466575","19552604032784703978496123128652340063","247548776530019746431897897424079760272","200750708131574333793396796330886324597","210238571164148412686177848076654706556","37543147854337209609683659174012688870","298772841277752792620408816477068069549","123181089485221688599852233834182458797","219750648040533630487898225587547003873","325887877661329870460505398887975064376","254012863064925480478039440014238798992","92690990334225840926913375398984399341","116682823186550376885007959598856992893","150630945996458235078215637137682493838","256871402155242183209778735769931689296","204416844694758957454983286073658825308","145219654637327608425633806858396420606","228290491799347054410946222118619210191","66659719239686185902814563225747056269","238872387272264149859042365778823508309","201584424087545105664339775449270047200","203340813751552507326479578217727842929","42456318665036588373651415133168046813","139084388521946995172568102038023437257","189030097817095956623774086948689108951","23375893006081176333384720943088259922","200563789312070260861222477260526813657","4354235676125506733841028530248763120","29079140071836263003351536040015942481","206965960754310182132903783766429872139","262912017746059526032614516113294840632","243298337042102622940382324872785007358","319016343311680977058485022449034188250","280218317216768007820969737374656459964","182625746718217674515175334711586846291","12308144987198618922981626989540562110","142434669384707587291012476049765025449","297381109610102847456651640043539856930","24919452270854829023413262840423730114","175494915411365812151356003500597680749","259016460323451878738877937935969686672","24662167699572299123399865576740170808","268833719976489242236045544971856680871","216109802456649461377552831783804819899","238792030916433053617837113553285043285","36325326249684072078057568438511488507","337296518720522157650094912631827220157","26184548141014247333708249531822361099","114326377041021996384063066888024303727","234108080180124966321227044060535970915","311541335489681149770467745322184233024","283912674945246823076161460269919750363","288765157807741797084954824982164523258","100453092615584081042280133613816180796","136910363091581504075968776508238666443","213755548660740247498157215474076019614","108188149734493114060360546382581990078","322918399021168533979986077792626375927","140785735858158121037101139967368508952","284376592890192898584784431858872335080","208651150119917951091971937018545669728","130378013810340699714931390771326845192"]},"deprecated":false,"signature_type":"Line","target":{"file":"src/jv.c"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-c029bfc6","digest":{"function_hash":"220821467909858034924023723150673823611","length":583},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jvp_object_write"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-d06ffd82","digest":{"threshold":0.9,"line_hashes":["49314117860552427637289761811114704982","133168085019627836917855826111674485473","214808392088399544560201786853405852340","218456411945579710329900585944612874646","229310651614279876591567949992389710328","37186851718729348926252391537519762510","194702215318362978800119278416265201999","277375067983529847024372692174510778272","83996309895668853422199083816234437088","305716381699829394196253539820160860883","261546646928046742131095930914371569989","7443652024731225196583678104486279469","327114700914653030451603173629132522892","132045950232904207076750020726663519684"]},"deprecated":false,"signature_type":"Line","target":{"file":"src/jv_aux.c"}},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e","id":"CVE-2024-23337-f87e7430","digest":{"function_hash":"300047713942875338587980580464189780826","length":609},"deprecated":false,"signature_type":"Function","target":{"file":"src/jv.c","function":"jvp_object_rehash"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23337.json","vanir_signatures_modified":"2026-04-12T05:53:17Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}]}