CVE-2022-3433
Description
The aeson library is not safe to use to consume untrusted JSON input. A remote user could abuse this flaw to produce a hash collision in the underlying unordered-containers library by sending specially crafted JSON data, resulting in a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The aeson library for Haskell is vulnerable to denial of service via hash collision attacks when parsing untrusted JSON input, allowing remote attackers to cause excessive CPU consumption.
Vulnerability
The aeson library uses HashMap from the unordered-containers library to represent JSON objects. unordered-containers relies on the hashable library, which implements the FNV hash function. FNV is not collision-resistant, enabling an attacker to craft JSON objects that produce many hash collisions. When aeson parses such input, the linear chaining collision resolution in HashMap results in O(n) insertion time, causing severe performance degradation. Versions of aeson prior to 2.0.1.0 are affected [1].
Exploitation
An attacker with network access to an application that parses untrusted JSON using aeson can send a specially crafted JSON object. The attacker computes collisions on the FNV hash to generate a payload that, when processed, forces the application to spend minutes handling hash collisions. No authentication or special privileges are required; the exploit is purely data-driven [1].
Impact
Successful exploitation leads to a denial of service (DoS). The targeted application becomes unresponsive for an extended period due to CPU exhaustion, effectively denying service to legitimate users. The impact is limited to availability; no data confidentiality or integrity is compromised [1].
Mitigation
The vulnerability is fixed in aeson version 2.0.1.0, released on 2021-10-09 [1]. Users should upgrade to this version or later. If upgrading is not immediately possible, avoid parsing untrusted JSON input with aeson, or apply input validation to limit the size and complexity of JSON objects. No other workarounds are documented in the available references.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- aeson library/aeson librarydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The aeson library uses unordered-containers' HashMap, which relies on the FNV-1 hash function from the hashable library — FNV-1 is not collision-resistant, allowing an attacker to craft many JSON object keys that hash to the same bucket, causing O(n) linear-chaining insertion and severe performance degradation."
Attack vector
An attacker sends a crafted JSON object whose keys are chosen so that they all produce the same FNV-1 hash value (zero) under the default salt used by hashable [ref_id=1]. Because unordered-containers uses linear chaining to handle hash collisions, inserting N colliding keys takes O(n) time per insertion, making the overall parse operation degrade from expected O(n) to O(n²). The malicious payload is delivered over any network path that a Haskell web server accepts JSON on (e.g. an HTTP POST body). The attacker needs no authentication; the only precondition is that the server parses untrusted JSON with aeson into a Data.Aeson.Value (which stores JSON objects as HashMap) [ref_id=1].
Affected code
The vulnerability spans three Haskell libraries: aeson (Data.Aeson.Value's Object constructor uses HashMap), unordered-containers (Data.HashMap.Strict uses linear chaining for collisions), and hashable (cbits/fnv.c implements the FNV-1 hash via hashable_fnv_hash). The critical code path is Data.HashMap.Strict.unsafeInsert calling Data.Hashable.hash, which invokes the C function hashable_fnv_hash [ref_id=1].
What the fix does
The advisory states that version 2.0.1.0 of aeson fixed this vulnerability [ref_id=1]. No patch diff is included in the bundle, but the recommended remediation is to upgrade to aeson >= 2.0.1.0. The fix likely involved switching to a hash function that is resistant to collision attacks (e.g. SipHash) or otherwise mitigating the hash-collision DoS vector in the JSON parsing path.
Preconditions
- configThe target application must parse untrusted JSON input using the aeson library (producing Data.Aeson.Value objects).
- networkNo authentication is required; the attacker can send the malicious payload over any network path the server accepts JSON on.
- inputThe attacker must craft JSON object keys whose FNV-1 hashes collide under hashable's default salt (0xdc36d1615b7400a4 on 64-bit).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.