hsec-2026-0004
Vulnerability from osv_haskell
Published
2026-03-28 16:05
Modified
2026-03-28 16:05
Summary
Hackage package metadata stored XSS vulnerability
Details

Hackage package metadata stored XSS vulnerability

User-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks. The specific fields affected are:

  • homepage
  • bug-reports
  • source-repository.location
  • description (Haddock hyperlinks)

The Haskell Security Response Team audited the entire corpus of published packages on hackage.haskell.org—all published package versions but not candidates. No exploitation attempts were detected.

To fix the issue, hackage-server now inspects target URIs and only produces a hyperlink when the URI has an approved scheme: http, https, and (only for some fields) mailto.

The fix has been committed and deployed on hackage.haskell.org. Other operations of hackage-server instances should update as soon as possible to commit 2de3ae45082f8f3f29a41f6aff620d09d0e74058 or later.

Acknowledgements

  • Joshua Rogers (https://joshua.hu/) of AISLE (https://aisle.com/) reported the issue to the Haskell Security Response Team.
  • Fraser Tweedale implemented the fix.
  • Gershom Bazerman merged the fix and deployed it to hackage.haskell.org.
References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0004.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0004.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "hackage-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "database_specific": {
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
  },
  "details": "# Hackage package metadata stored XSS vulnerability\n\nUser-controlled metadata from `.cabal` files are rendered into HTML\n`href` attributes without proper sanitization, enabling stored\nCross-Site Scripting (XSS) attacks.  The specific fields affected\nare:\n\n- `homepage`\n- `bug-reports`\n- `source-repository.location`\n- `description` (Haddock hyperlinks)\n\nThe Haskell Security Response Team audited the entire corpus of\n**published** packages on `hackage.haskell.org`\u2014all published\npackage versions but *not* candidates.  No exploitation attempts\nwere detected.\n\nTo fix the issue, *hackage-server* now inspects target URIs and only\nproduces a hyperlink when the URI has an approved scheme: `http`,\n`https`, and (only for some fields) `mailto`.\n\nThe fix has been [committed][commit] and deployed on\n`hackage.haskell.org`.  Other operations of *hackage-server*\ninstances should update as soon as possible to commit\n`2de3ae45082f8f3f29a41f6aff620d09d0e74058` or later.\n\n## Acknowledgements\n\n- **Joshua Rogers** (https://joshua.hu/) of AISLE\n  (https://aisle.com/) reported the issue to the Haskell Security\n  Response Team.\n- **Fraser Tweedale** implemented the fix.\n- **Gershom Bazerman** merged the fix and deployed it to\n  `hackage.haskell.org`.\n\n[commit]: https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058\n",
  "id": "HSEC-2026-0004",
  "modified": "2026-03-28T16:05:12Z",
  "published": "2026-03-28T16:05:12Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Hackage package metadata stored XSS vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.