CVE-2022-3433 The aeson library is not safe to use to consume untrusted JSON input
It is recommended to avoid using aeson when it is possible to receive input data directly from the server. A remote attacker could still produce a hash collision using a timing attack by sending a large number of requests to a service using aeson. In a cloud environment, this issue could be amplified since there is no way to control the server software version.
Reverse geocoding is a popular use case of aeson. It is considered a best practice to avoid using aeson in production due to its high potential for misuse.
Avoid Numbers in User Inputs
It is recommended to avoid using aeson when it is possible to receive input data directly from the server. A remote attacker could still produce a hash collision using a timing attack by sending a large number of requests to a service using aeson. In a cloud environment, this issue could be amplified since there is no way to control the server software version.
Reverse geocoding is a popular use case of aeson. It is considered best practice to avoid using aeson in production due to its high potential for misuse.
Timeline
Published on: 10/10/2022 22:15:00 UTC
Last modified on: 10/11/2022 18:58:00 UTC