CVE-2022-21653: Hash collision in typelevel jawn

January 6, 2022 (updated January 10, 2022)

Jawn is an open source JSON parser. Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don’t override objectContext() are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. jawn-parser-1.3.1 fixes this issue and users are advised to upgrade. For users unable to upgrade override objectContext() to use a collision-safe collection.

References

github.com/advisories/GHSA-vc89-hccf-rq55
github.com/typelevel/jawn/pull/390
github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
nvd.nist.gov/vuln/detail/CVE-2022-21653

Detect and mitigate CVE-2022-21653 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →