Hash collision in typelevel jawn

Description

Impact

Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:

Affected implementations include:
* org.http4s :: http4s-play-json
* org.typelevel :: jawn-ast (< 0.8.0)
* org.typelevel :: jawn-play (discontinued)
* org.typelevel :: jawn-rojoma (discontinued)
* org.typelevel :: jawn-spray (discontinued)

Unaffected implementations include:
* io.argonaut :: argonaut-jawn
* io.circe :: circe-parser
* org.typelevel :: jawn-ast (>= 0.8.0)
* org.typelevel :: jawn-json4s (discontinued)
* org.typelevel :: jawn-argonaut (discontinued)

Patches

jawn-parser-1.3.2 fixes the issue.

Workarounds

Override objectContext() to use a collision-safe collection. See the patch for an example in both SimpleFacade and MutableFacade.

References

  • https://github.com/typelevel/jawn/pull/390

Credits

  • @kag0, for the report and the patch

For more information

If you have any questions or comments about this advisory:
* Open an issue in typelevel/jawn
* E-mail a maintainer:
* @rossabaker

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2022-01-06 23:48:35 UTC
Updated
2025-12-16 22:29:16 UTC
GitHub reviewed
2022-01-06 20:19:30 UTC
NVD published
2022-01-05

EPSS Score

Score Percentile
0.14% 34.48%

CVSS Scores

Base score Version Severity Vector
5.9 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-326 Inadequate Encryption Strength
CWE-400 Uncontrolled Resource Consumption

Credits

  • nrktkt (analyst)

Affected packages (18)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.typelevel:jawn-parser_0.25 < 1.3.2
maven org.typelevel:jawn-parserg < 1.3.2
maven org.typelevel:jawn-parser_0.27 < 1.3.2
maven org.typelevel:jawn-parser_2.10 < 1.3.2
maven org.typelevel:jawn-parser_2.11 < 1.3.2
maven org.typelevel:jawn-parser_2.12 < 1.3.2 1.3.2
maven org.typelevel:jawn-parser_2.13 < 1.3.2 1.3.2
maven org.typelevel:jawn-parser_2.13.0-M5 < 1.3.2
maven org.typelevel:jawn-parser_2.13.0-RC1 < 1.3.2
maven org.typelevel:jawn-parser_2.13.0-RC2 < 1.3.2
maven org.typelevel:jawn-parser_2.13.0-RC3 < 1.3.2
maven org.typelevel:jawn-parser_3 < 1.3.2 1.3.2
maven org.typelevel:jawn-parser_3.0.0-M1 < 1.3.2
maven org.typelevel:jawn-parser_3.0.0-M2 < 1.3.2
maven org.typelevel:jawn-parser_3.0.0-M3 < 1.3.2
maven org.typelevel:jawn-parser_3.0.0-RC1 < 1.3.2
maven org.typelevel:jawn-parser_3.0.0-RC2 < 1.3.2
maven org.typelevel:jawn-parser_3.0.0-RC3 < 1.3.2

References

cvelogic Threat Intelligence