PT-2026-30927 · Hackage · Hackage-Server
Publicado
2026-03-28
·
Atualizado
2026-03-28
Nenhuma
Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.
Hackage CSRF vulnerability
- Vulnerable File:
src/Distribution/Server/Features/Votes.hs(example) - Impact: can forge requests through XSS
hackage-server lacked Cross-Site Request Forgery (CSRF) protection
across its endpoints. Scripts on foreign sites could trigger
requests to hackage server, possibly abusing latent credentials to
upload packages or perform other administrative actions. Some
unauthenticated actions could also be abused (e.g. creating new user
accounts).
To fix the issue, a new CSRF middleware checks all requests.
Requests using HTTP methods other than
GET, HEAD and OPTIONS
are subject to a check of the Sec-Fetch-Site
header, which is widely supported by modern
browsers. Cross-site requests are 403 Forbidden. Certain approved and expected non-browser user agents
(e.g. cabal-install/*) are exempted from the check, as are
requests using token authentication (Authorization: X-ApiKey ...).The fix has been committed and deployed on
hackage.haskell.org.Acknowledgements
- Joshua Rogers (https://joshua.hu/) of AISLE (https://aisle.com/) reported the issue to the Haskell Security Response Team.
- Spenser Janssen implemented the fix, and Fraser Tweedale reviewed it.
- Gershom Bazerman merged the fix and deployed it to
hackage.haskell.org.
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Hackage-Server