Moderate severityNVD Advisory· Published Jan 5, 2022· Updated Apr 22, 2025
Hash collision in typelevel jawn
CVE-2022-21653
Description
Jawn is an open source JSON parser. Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. jawn-parser-1.3.1 fixes this issue and users are advised to upgrade. For users unable to upgrade override objectContext() to use a collision-safe collection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.typelevel:jawn-parser_0.25Maven | >= 0 | — |
org.typelevel:jawn-parsergMaven | >= 0 | — |
org.typelevel:jawn-parser_0.27Maven | >= 0 | — |
org.typelevel:jawn-parser_2.10Maven | >= 0 | — |
org.typelevel:jawn-parser_2.11Maven | >= 0 | — |
org.typelevel:jawn-parser_2.12Maven | < 1.3.2 | 1.3.2 |
org.typelevel:jawn-parser_2.13Maven | < 1.3.2 | 1.3.2 |
org.typelevel:jawn-parser_2.13.0-M5Maven | >= 0 | — |
org.typelevel:jawn-parser_2.13.0-RC1Maven | >= 0 | — |
org.typelevel:jawn-parser_2.13.0-RC2Maven | >= 0 | — |
org.typelevel:jawn-parser_2.13.0-RC3Maven | >= 0 | — |
org.typelevel:jawn-parser_3Maven | < 1.3.2 | 1.3.2 |
org.typelevel:jawn-parser_3.0.0-M1Maven | >= 0 | — |
org.typelevel:jawn-parser_3.0.0-M2Maven | >= 0 | — |
org.typelevel:jawn-parser_3.0.0-M3Maven | >= 0 | — |
org.typelevel:jawn-parser_3.0.0-RC1Maven | >= 0 | — |
org.typelevel:jawn-parser_3.0.0-RC2Maven | >= 0 | — |
org.typelevel:jawn-parser_3.0.0-RC3Maven | >= 0 | — |
Affected products
22- ghsa-coords21 versionspkg:maven/org.typelevel/jawn-parser_0.25pkg:maven/org.typelevel/jawn-parser_0.27pkg:maven/org.typelevel/jawn-parser_2.10pkg:maven/org.typelevel/jawn-parser_2.11pkg:maven/org.typelevel/jawn-parser_2.12pkg:maven/org.typelevel/jawn-parser_2.13pkg:maven/org.typelevel/jawn-parser_2.13.0-M5pkg:maven/org.typelevel/jawn-parser_2.13.0-RC1pkg:maven/org.typelevel/jawn-parser_2.13.0-RC2pkg:maven/org.typelevel/jawn-parser_2.13.0-RC3pkg:maven/org.typelevel/jawn-parser_3pkg:maven/org.typelevel/jawn-parser_3.0.0-M1pkg:maven/org.typelevel/jawn-parser_3.0.0-M2pkg:maven/org.typelevel/jawn-parser_3.0.0-M3pkg:maven/org.typelevel/jawn-parser_3.0.0-RC1pkg:maven/org.typelevel/jawn-parser_3.0.0-RC2pkg:maven/org.typelevel/jawn-parser_3.0.0-RC3pkg:maven/org.typelevel/jawn-parsergpkg:rpm/opensuse/jawn&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/jawn&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/jawn&distro=SUSE%20Package%20Hub%2015%20SP3
>= 0+ 20 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 1.3.2
- (no CPE)range: < 1.3.2
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 1.3.2
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 0.14.1-bp153.2.3.1
- (no CPE)range: < 0.14.1-bp152.2.3.1
- (no CPE)range: < 0.14.1-bp153.2.3.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-vc89-hccf-rq55ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21653ghsaADVISORY
- github.com/typelevel/jawn/pull/390ghsax_refsource_MISCWEB
- github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.