Skip to content

Commit 19dfbab

Browse files
frasertweedalefrasertweedale
committed
HSEC-2026-0002: hackage-server CSRF
1 parent d3ecd59 commit 19dfbab

File tree

3 files changed

+56
-0
lines changed

3 files changed

+56
-0
lines changed

advisories/hackage/hackage-server/HSEC-2026-0002.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
../../published/2026/HSEC-2026-0002.md

advisories/published/2026/HSEC-2026-0002.md

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
```toml
2+
[advisory]
3+
id = "HSEC-2026-0002"
4+
cwe = [352]
5+
keywords = ["hackage", "csrf"]
6+
7+
[[affected]]
8+
package = "hackage-server"
9+
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"
10+
11+
[[affected.versions]]
12+
introduced = "0.1"
13+
14+
[[references]]
15+
type = "FIX"
16+
url = "https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058"
17+
```
18+
19+
# Hackage CSRF vulnerability
20+
21+
* Vulnerable File: `src/Distribution/Server/Features/Votes.hs` (example)
22+
* Impact: can forge requests through XSS
23+
24+
hackage-server lacked Cross-Site Request Forgery (CSRF) protection
25+
across its endpoints. Scripts on foreign sites could trigger
26+
requests to hackage server, possibly abusing latent credentials to
27+
upload packages or perform other administrative actions. Some
28+
unauthenticated actions could also be abused (e.g. creating new user
29+
accounts).
30+
31+
To fix the issue, a new CSRF middleware checks all requests.
32+
Requests using HTTP methods other than `GET`, `HEAD` and `OPTIONS`
33+
are subject to a check of the [`Sec-Fetch-Site`
34+
header][sec-fetch-site], which is [widely supported by modern
35+
browsers][caniuse-sec-fetch-site]. Cross-site requests are `403
36+
Forbidden`. Certain approved and expected non-browser user agents
37+
(e.g. `cabal-install/*`) are exempted from the check, as are
38+
requests using token authentication (`Authorization: X-ApiKey ...`).
39+
40+
The fix has been [committed][commit] and deployed on
41+
`hackage.haskell.org`.
42+
43+
## Acknowledgements
44+
45+
- **Joshua Rogers** (https://joshua.hu/) of AISLE
46+
(https://aisle.com/) reported the issue to the Haskell Security
47+
Response Team.
48+
- **Spenser Janssen** implemented the fix, and **Fraser Tweedale**
49+
reviewed it.
50+
- **Gershom Bazerman** merged the fix and deployed it to
51+
`hackage.haskell.org`.
52+
53+
[sec-fetch-site]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site
54+
[caniuse-sec-fetch-site]: https://caniuse.com/?search=sec-fetch-site
55+
[commit]: https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058

advisories/reserved/2026/HSEC-2026-0002.md

Whitespace-only changes.

0 commit comments

Comments
 (0)