PT-2026-30928 · Hackage · Hackage-Server
Publicado
2026-03-28
·
Atualizado
2026-03-28
Nenhuma
Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.
Hackage package metadata stored XSS vulnerability
User-controlled metadata from
.cabal files are rendered into HTML
href attributes without proper sanitization, enabling stored
Cross-Site Scripting (XSS) attacks. The specific fields affected
are:homepagebug-reportssource-repository.locationdescription(Haddock hyperlinks)
The Haskell Security Response Team audited the entire corpus of
published packages on
hackage.haskell.org—all published
package versions but not candidates. No exploitation attempts
were detected.To fix the issue, hackage-server now inspects target URIs and only
produces a hyperlink when the URI has an approved scheme:
http,
https, and (only for some fields) mailto.The fix has been committed and deployed on
hackage.haskell.org. Other operations of hackage-server
instances should update as soon as possible to commit
2de3ae45082f8f3f29a41f6aff620d09d0e74058 or later.Acknowledgements
- Joshua Rogers (https://joshua.hu/) of AISLE (https://aisle.com/) reported the issue to the Haskell Security Response Team.
- Fraser Tweedale implemented the fix.
- Gershom Bazerman merged the fix and deployed it to
hackage.haskell.org.
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Hackage-Server