Hash flooding vulnerability in aeson
aeson was vulnerable to hash flooding (a.k.a. hash DoS). The issue is a consequence of the HashMap implementation from unordered-containers. It results in a denial of service through CPU consumption. This technique has been used in real-world attacks against a variety of languages, libraries and frameworks over the years.
Info
- Published
- June 13, 2023
- Modified
- June 13, 2023
- CAPECs
- < none >
- CWEs
- 328
- 400
- Keywords
- json, dos, historical
- Aliases
- CVE-2022-3433
- Related
- < none >
- References
- [ARTICLE] https://cs-syd.eu/posts/2021-09-11-json-vulnerability
- [ARTICLE] https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html
- [DISCUSSION] https://github.com/haskell/aeson/issues/864
Affected
aeson
- CVSS
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Versions
>=0.4.0.0 && <2.0.1.0- Declarations
- < none >