hsec-2026-0002
Vulnerability from osv_haskell
Published
2026-03-28 16:04
Modified
2026-03-28 16:04
Summary
Hackage CSRF vulnerability
Details

Hackage CSRF vulnerability

  • Vulnerable File: src/Distribution/Server/Features/Votes.hs (example)
  • Impact: can forge requests through XSS

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

To fix the issue, a new CSRF middleware checks all requests. Requests using HTTP methods other than GET, HEAD and OPTIONS are subject to a check of the Sec-Fetch-Site header, which is widely supported by modern browsers. Cross-site requests are 403 Forbidden. Certain approved and expected non-browser user agents (e.g. cabal-install/*) are exempted from the check, as are requests using token authentication (Authorization: X-ApiKey ...).

The fix has been committed and deployed on hackage.haskell.org.

Acknowledgements

  • Joshua Rogers (https://joshua.hu/) of AISLE (https://aisle.com/) reported the issue to the Haskell Security Response Team.
  • Spenser Janssen implemented the fix, and Fraser Tweedale reviewed it.
  • Gershom Bazerman merged the fix and deployed it to hackage.haskell.org.
References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0002.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0002.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "hackage-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "database_specific": {
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
  },
  "details": "# Hackage CSRF vulnerability\n\n* Vulnerable File: `src/Distribution/Server/Features/Votes.hs` (example)\n* Impact: can forge requests through XSS\n\nhackage-server lacked Cross-Site Request Forgery (CSRF) protection\nacross its endpoints.  Scripts on foreign sites could trigger\nrequests to hackage server, possibly abusing latent credentials to\nupload packages or perform other administrative actions.  Some\nunauthenticated actions could also be abused (e.g. creating new user\naccounts).\n\nTo fix the issue, a new CSRF middleware checks all requests.\nRequests using HTTP methods other than `GET`, `HEAD` and `OPTIONS`\nare subject to a check of the [`Sec-Fetch-Site`\nheader][sec-fetch-site], which is [widely supported by modern\nbrowsers][caniuse-sec-fetch-site].  Cross-site requests are `403\nForbidden`.  Certain approved and expected non-browser user agents\n(e.g. `cabal-install/*`) are exempted from the check, as are\nrequests using token authentication (`Authorization: X-ApiKey ...`).\n\nThe fix has been [committed][commit] and deployed on\n`hackage.haskell.org`.\n\n## Acknowledgements\n\n- **Joshua Rogers** (https://joshua.hu/) of AISLE\n  (https://aisle.com/) reported the issue to the Haskell Security\n  Response Team.\n- **Spenser Janssen** implemented the fix, and **Fraser Tweedale**\n  reviewed it.\n- **Gershom Bazerman** merged the fix and deployed it to\n  `hackage.haskell.org`.\n\n[sec-fetch-site]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site\n[caniuse-sec-fetch-site]: https://caniuse.com/?search=sec-fetch-site\n[commit]: https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058\n",
  "id": "HSEC-2026-0002",
  "modified": "2026-03-28T16:04:58Z",
  "published": "2026-03-28T16:04:58Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Hackage CSRF vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.