GHSA-vc89-hccf-rq55

Source

https://github.com/advisories/GHSA-vc89-hccf-rq55

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-vc89-hccf-rq55/GHSA-vc89-hccf-rq55.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vc89-hccf-rq55

Aliases

CVE-2022-21653

Published

2022-01-06T23:48:35Z

Modified

2025-12-16T22:56:31.776825Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Hash collision in typelevel jawn

Details

Impact

Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:

Affected implementations include: * org.http4s :: http4s-play-json * org.typelevel :: jawn-ast (< 0.8.0) * org.typelevel :: jawn-play (discontinued) * org.typelevel :: jawn-rojoma (discontinued) * org.typelevel :: jawn-spray (discontinued)

Unaffected implementations include: * io.argonaut :: argonaut-jawn * io.circe :: circe-parser * org.typelevel :: jawn-ast (>= 0.8.0) * org.typelevel :: jawn-json4s (discontinued) * org.typelevel :: jawn-argonaut (discontinued)

Patches

jawn-parser-1.3.2 fixes the issue.

Workarounds

Override objectContext() to use a collision-safe collection. See the patch for an example in both SimpleFacade and MutableFacade.

References

https://github.com/typelevel/jawn/pull/390

Credits

@kag0, for the report and the patch

For more information

If you have any questions or comments about this advisory: * Open an issue in typelevel/jawn * E-mail a maintainer: * @rossabaker

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-326",
        "CWE-400"
    ],
    "nvd_published_at": "2022-01-05T21:15:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2022-01-06T20:19:30Z"
}

References

Affected packages

Maven

org.typelevel:jawn-parser_0.25

Package

Name: org.typelevel:jawn-parser_0.25; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_0.25

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parserg

Package

Name: org.typelevel:jawn-parserg; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parserg

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_0.27

Package

Name: org.typelevel:jawn-parser_0.27; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_0.27

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0

1.0.1

1.0.2

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_2.10

Package

Name: org.typelevel:jawn-parser_2.10; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_2.10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.0

0.14.1

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_2.11

Package

Name: org.typelevel:jawn-parser_2.11; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_2.11

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.0

0.14.1

0.14.2

0.14.3

1.*

1.0.0-RC1

1.0.0-RC2

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_2.12

Package

Name: org.typelevel:jawn-parser_2.12; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_2.12

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2

Affected versions

0.*

0.14.0

0.14.1

0.14.2

0.14.3

1.*

1.0.0-RC1

1.0.0-RC2

1.0.0-RC3

1.0.0-RC4

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.3.1

org.typelevel:jawn-parser_2.13

Package

Name: org.typelevel:jawn-parser_2.13; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_2.13

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2

Affected versions

0.*

0.14.2

0.14.3

1.*

1.0.0-RC1

1.0.0-RC2

1.0.0-RC3

1.0.0-RC4

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.3.1

org.typelevel:jawn-parser_2.13.0-M5

Package

Name: org.typelevel:jawn-parser_2.13.0-M5; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_2.13.0-M5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.0

0.14.1

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_2.13.0-RC1

Package

Name: org.typelevel:jawn-parser_2.13.0-RC1; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_2.13.0-RC1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.2

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_2.13.0-RC2

Package

Name: org.typelevel:jawn-parser_2.13.0-RC2; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_2.13.0-RC2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.2

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_2.13.0-RC3

Package

Name: org.typelevel:jawn-parser_2.13.0-RC3; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_2.13.0-RC3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.2

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_3

Package

Name: org.typelevel:jawn-parser_3; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2

Affected versions

1.*

1.1.2

1.2.0

1.3.0

1.3.1

org.typelevel:jawn-parser_3.0.0-M1

Package

Name: org.typelevel:jawn-parser_3.0.0-M1; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_3.0.0-M1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.1

1.0.2

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_3.0.0-M2

Package

Name: org.typelevel:jawn-parser_3.0.0-M2; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_3.0.0-M2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.2

1.0.3

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_3.0.0-M3

Package

Name: org.typelevel:jawn-parser_3.0.0-M3; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_3.0.0-M3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.3

1.1.0

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_3.0.0-RC1

Package

Name: org.typelevel:jawn-parser_3.0.0-RC1; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_3.0.0-RC1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.0

1.1.1

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_3.0.0-RC2

Package

Name: org.typelevel:jawn-parser_3.0.0-RC2; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_3.0.0-RC2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.1

1.1.2

Database specific

last_known_affected_version_range

"< 1.3.2"

org.typelevel:jawn-parser_3.0.0-RC3

Package

Name: org.typelevel:jawn-parser_3.0.0-RC3; View open source insights on deps.dev
Purl: pkg:maven/org.typelevel/jawn-parser_3.0.0-RC3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.2

Database specific

last_known_affected_version_range

"< 1.3.2"