HSEC-2026-0007

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0007.json

JSON Data

https://api.test.osv.dev/v1/vulns/HSEC-2026-0007

Published

2026-05-22T07:02:58Z

Modified

2026-05-22T07:15:04.180406539Z

Summary

Denial of Service and Memory Exhaustion in aeson and text-iso8601

Details

Denial of Service and Memory Exhaustion in aeson and text-iso8601

Two Denial of Service (DoS) and memory exhaustion vulnerabilities were identified in the aeson and text-iso8601 packages. These vulnerabilities allow an attacker to exhaust server memory and crash the host process by supplying maliciously crafted JSON payloads.

1. `withBoundedScientific_` DoS / Memory Exhaustion (`aeson`)

A vulnerability exists in aeson's withBoundedScientific_ function (located in src/Data/Aeson/Types/FromJSON.hs). The exponent bounds check only rejects large positive exponents (exp10 > 1024) but fails to reject arbitrarily large negative exponents.

When an attacker sends a JSON number with a massive negative exponent (e.g., 1e-999999999), the value bypasses the check and flows into realToFrac, which computes fromRational . toRational. For such a large negative exponent, toRational produces a GMP Integer with approximately 1 billion decimal digits, causing immediate and severe memory exhaustion.

Affected FromJSON instances:

Fixed a (including Centi, Pico, Nano, etc.)
NominalDiffTime
DiffTime

2. `parseYear_` DoS / Memory Exhaustion (`text-iso8601`)

A second vulnerability exists in the text-iso8601 library's year parser (parseYear_ in src/Data/Time/FromText.hs), which aeson relies upon for all of its date/time FromJSON instances.

The year parser loops over digit characters with no upper bound constraint. The accumulated digits are then passed to textToInteger, which converts the arbitrarily long decimal string into a Haskell Integer (an arbitrary-precision bignum). Because this conversion is super-linear in the number of digits, an attacker can send a JSON date string with millions of digits in the year position (e.g., {"date": "999...999-01-01T00:00:00Z"}). A relatively small payload (~1MB) can cause seconds of CPU time and hundreds of megabytes of memory consumption, creating a practical asymmetric DoS vector.

Affected FromJSON instances (via aeson):

Day
UTCTime
LocalTime
ZonedTime
TimeOfDay
Month
Quarter

Resolution

These issues were resolved by introducing proper bounds checks:

aeson now applies an absolute bounds check to both positive and negative exponents (abs exp10 > 1024).
text-iso8601 now enforces an upper bound limit on the number of year digits accepted by parseYear_.

Users are strongly advised to update to the patched versions:

aeson-2.3.0.0 or later
text-iso8601-0.2.0.0 or later

Acknowledgements

The vulnerabilities were reported Nathan Walsh, and patched by Li-yao Xia.

Database specific

{
    "repository": "https://github.com/haskell/security-advisories",
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export"
}

References

Affected packages

Hackage / aeson

Package

Name: aeson
Purl: pkg:hackage/aeson

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.12.0.0

Fixed

2.3.0.0

Affected versions

1.*

1.0.0.0

1.0.1.0

1.0.2.0

1.0.2.1

1.1.0.0

1.1.1.0

1.1.2.0

1.2.0.0

1.2.1.0

1.2.2.0

1.2.3.0

1.2.4.0

1.3.0.0

1.3.1.0

1.3.1.1

1.4.0.0

1.4.1.0

1.4.2.0

1.4.3.0

1.4.4.0

1.4.5.0

1.4.6.0

1.4.7.0

1.4.7.1

1.5.0.0

1.5.1.0

1.5.2.0

1.5.3.0

1.5.4.0

1.5.4.1

1.5.5.0

1.5.5.1

1.5.6.0

2.*

2.0.0.0

2.0.1.0

2.0.2.0

2.0.3.0

2.1.0.0

2.1.1.0

2.1.2.0

2.1.2.1

2.2.0.0

2.2.1.0

2.2.2.0

2.2.3.0

2.2.4.0

2.2.4.1

2.2.5.0

Database specific

source

"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0007.json"

osv

"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0007.json"

human_link

"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0007.md"

Hackage / text-iso8601

Package

Name: text-iso8601
Purl: pkg:hackage/text-iso8601

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1

Fixed

0.2.0.0

Affected versions

0.*

0.1

0.1.1

0.1.1.1

Database specific

source

"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0007.json"

osv

"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0007.json"

human_link

"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0007.md"

HSEC-2026-0007

Denial of Service and Memory Exhaustion in aeson and text-iso8601

1. withBoundedScientific_ DoS / Memory Exhaustion (aeson)

2. parseYear_ DoS / Memory Exhaustion (text-iso8601)

Resolution

Acknowledgements

Affected packages

Hackage / aeson

Package

Severity

Affected ranges

Affected versions

Database specific

Hackage / text-iso8601

Package

Severity

Affected ranges

Affected versions

Database specific

1. `withBoundedScientific_` DoS / Memory Exhaustion (`aeson`)

2. `parseYear_` DoS / Memory Exhaustion (`text-iso8601`)