Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-tvwp-ydpn-zqf1
Vulnerability ID VCID-tvwp-ydpn-zqf1
Aliases CVE-2022-21653
GHSA-vc89-hccf-rq55
Summary Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-326 Inadequate Encryption Strength
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2022-21653
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2022-21653
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2022-21653
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2022-21653
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vc89-hccf-rq55
cvssv3.1 5.9 https://github.com/typelevel/jawn
generic_textual MODERATE https://github.com/typelevel/jawn
cvssv3.1 5.9 https://github.com/typelevel/jawn/pull/390
generic_textual MODERATE https://github.com/typelevel/jawn/pull/390
ssvc Track https://github.com/typelevel/jawn/pull/390
cvssv3.1 5.9 https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
cvssv3.1_qr MODERATE https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
generic_textual MODERATE https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
ssvc Track https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2022-21653
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-21653
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-21653
https://github.com/typelevel/jawn
390 https://github.com/typelevel/jawn/pull/390
CVE-2022-21653 https://nvd.nist.gov/vuln/detail/CVE-2022-21653
GHSA-vc89-hccf-rq55 https://github.com/advisories/GHSA-vc89-hccf-rq55
GHSA-vc89-hccf-rq55 https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/typelevel/jawn
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/typelevel/jawn/pull/390
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:18Z/ Found at https://github.com/typelevel/jawn/pull/390
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:18Z/ Found at https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21653
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.34082
EPSS Score 0.00141
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:39:16.792228+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/21xxx/CVE-2022-21653.json 38.6.0