CVE-2024-53427: 
NixOS vulnerability analysis and mitigation

CVE-2024-53427 affects jq through version 1.7.1, specifically in the decNumberCopy function within decNumber.c. The vulnerability was discovered and disclosed in February 2025. The issue stems from improper handling of NaN (Not a Number) values, which are incorrectly interpreted as numeric values (NVD, Debian Tracker).

The vulnerability is a stack-based buffer overflow and out-of-bounds write condition that occurs in the decNumberCopy function. The issue manifests when using the --slurp option with subtraction operations, particularly when processing input containing specific forms of digit strings with NaN (e.g., "1 NaN123" followed by many digits). The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability can lead to stack buffer overflow conditions and out-of-bounds write operations, potentially resulting in program crashes, undefined behavior, or security vulnerabilities. Given the CVSS score and vector, successful exploitation could lead to high impacts on confidentiality, integrity, and availability of the affected system (GitHub Issue).

As of the current data, there is no official patch available for this vulnerability. The issue affects all versions through 1.7.1, and users are advised to monitor for updates from the jq project (Debian Tracker).