The aeson library is not safe to use to consume untrusted input, like the JSON values that a web server might parse, this allows DoS. External Reference: https://cs-syd.eu/posts/2021-09-11-json-vulnerability
Created ghc-aeson tracking bugs for this issue: Affects: epel-7 [bug 2004549] Affects: fedora-all [bug 2004548]
*** Bug 2130280 has been marked as a duplicate of this bug. ***
I disagree - strongly - with the assessment that it is not worthy of a CVE assignment. This issue is not about the unordered-containers library. This issue is with aeson, the most widely used JSON library in the Haskell ecosystem. aeson prior to v2.0 used HashMap (from unordered-containers) unconditionally, making it vulnerable to hash flooding. Any service or program that used aeson < 2.0 and handled untrusted input could be vulnerable to hash flooding, without explicit countermeasures such as input size limits, rate limits, etc. Hash flooding / HashDOS vulnerabilities in data libraries are usually assigned CVEs. Search the database for "hash flood", "hashdos", "hash collision", etc. Please assign a CVE for this one too.
I think CVE-2021-41119 is this issue, right?
Well, yes and no. That CVE is specifically for wire-server, which was vulnerable because it uses aeson. I would expect a CVE / advisory to be filed against the aeson library itself.
Reopening this ticket. I feel that the decision not to assign a CVE for the hash flood vulnerability within aeson itself (versions < 2.0) is incorrect.
Thanks for your feedback. This issue was assigned CVE-2022-3433.