[advisory]
id = "HSEC-2023-0001"
cwe = [328, 400]
keywords = ["json", "dos", "historical"]
aliases = ["CVE-2022-3433"]

[[affected]]
package = "aeson"
cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"

[[affected.versions]]
introduced = "0.4.0.0"
fixed = "2.0.1.0"

[[references]]
type = "ARTICLE"
url = "https://cs-syd.eu/posts/2021-09-11-json-vulnerability"
[[references]]
type = "ARTICLE"
url = "https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html"
[[references]]
type = "DISCUSSION"
url = "https://github.com/haskell/aeson/issues/864"

Hash flooding vulnerability in aeson

aeson was vulnerable to hash flooding (a.k.a. hash DoS). The issue is a consequence of the HashMap implementation from unordered-containers. It results in a denial of service through CPU consumption. This technique has been used in real-world attacks against a variety of languages, libraries and frameworks over the years.