{"id":"HSEC-2023-0001","summary":"Hash flooding vulnerability in aeson","details":"# Hash flooding vulnerability in aeson\n\n*aeson* was vulnerable to hash flooding (a.k.a. hash DoS).  The\nissue is a consequence of the HashMap implementation from\n*unordered-containers*.  It results in a denial of service through\nCPU consumption.  This technique has been used in real-world attacks\nagainst a variety of languages, libraries and frameworks over the\nyears.\n","aliases":["CVE-2022-3433"],"modified":"2025-11-17T05:00:30.873742Z","published":"2025-11-14T14:45:34Z","database_specific":{"osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","home":"https://github.com/haskell/security-advisories","repository":"https://github.com/haskell/security-advisories"},"references":[{"type":"ARTICLE","url":"https://cs-syd.eu/posts/2021-09-11-json-vulnerability"},{"type":"ARTICLE","url":"https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html"},{"type":"DISCUSSION","url":"https://github.com/haskell/aeson/issues/864"}],"affected":[{"package":{"name":"aeson","ecosystem":"Hackage","purl":"pkg:hackage/aeson"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.4.0.0"},{"fixed":"2.0.1.0"}]}],"versions":["0.10.0.0","0.11.0.0","0.11.1.0","0.11.1.1","0.11.1.2","0.11.1.3","0.11.1.4","0.11.2.0","0.11.2.1","0.11.3.0","0.4.0.0","0.4.0.1","0.5.0.0","0.6.0.0","0.6.0.1","0.6.0.2","0.6.1.0","0.6.2.0","0.6.2.1","0.7.0.0","0.7.0.1","0.7.0.2","0.7.0.3","0.7.0.4","0.7.0.5","0.7.0.6","0.8.0.0","0.8.0.1","0.8.0.2","0.8.1.0","0.8.1.1","0.9.0.0","0.9.0.1","1.0.0.0","1.0.1.0","1.0.2.0","1.0.2.1","1.1.0.0","1.1.1.0","1.1.2.0","1.2.0.0","1.2.1.0","1.2.2.0","1.2.3.0","1.2.4.0","1.3.0.0","1.3.1.0","1.3.1.1","1.4.0.0","1.4.1.0","1.4.2.0","1.4.3.0","1.4.4.0","1.4.5.0","1.4.6.0","1.4.7.0","1.4.7.1","1.5.0.0","1.5.1.0","1.5.2.0","1.5.3.0","1.5.4.0","1.5.4.1","1.5.5.0","1.5.5.1","1.5.6.0","2.0.0.0"],"database_specific":{"source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0001.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0001.md","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0001.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}],"schema_version":"1.7.5"}