Hackage package metadata stored XSS vulnerability
User-controlled metadata from .cabal files are rendered
into HTML href attributes without proper sanitization,
enabling stored Cross-Site Scripting (XSS) attacks. The specific fields
affected are:
homepagebug-reportssource-repository.locationdescription(Haddock hyperlinks)
The Haskell Security Response Team audited the entire corpus of
published packages on
hackage.haskell.org—all published package versions but
not candidates. No exploitation attempts were detected.
To fix the issue, hackage-server now inspects target URIs
and only produces a hyperlink when the URI has an approved scheme:
http, https, and (only for some fields)
mailto.
The fix has been committed
and deployed on hackage.haskell.org. Other operations of
hackage-server instances should update as soon as possible to
commit 2de3ae45082f8f3f29a41f6aff620d09d0e74058 or
later.
Acknowledgements
- Joshua Rogers (https://joshua.hu/) of AISLE (https://aisle.com/) reported the issue to the Haskell Security Response Team.
- Fraser Tweedale implemented the fix.
- Gershom Bazerman merged the fix and deployed it to
hackage.haskell.org.
Info
- Published
- March 28, 2026
- Modified
- March 28, 2026
- CAPECs
- < none >
- CWEs
- 84
- Keywords
- hackage, xss, supply-chain
- Aliases
- < none >
- Related
- < none >
- References
- [FIX] https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058
Affected
@hackage/hackage-server
- CVSS
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
- Versions
>=0.1- Declarations
- < none >