A critical XSS vulnerability in the Hackage server allows attackers to hijack active user sessions, potentially leading to unauthorized package management and metadata alteration.

The server incorrectly handles HTML and JavaScript files within uploaded packages. A malicious maintainer can upload content that executes in the browser of a user with active credentials, resulting in full session hijacking.

The CVSS score of 9.9 represents a critical threat to the supply chain integrity of the Haskell ecosystem. Hijacking sessions allows attackers to inject malicious code into packages or alter project metadata, potentially poisoning downstream software consumers.

Immediate Action: Update the Hackage server software to the latest version provided by the Haskell community.

Proactive Monitoring: Monitor for unexpected changes to package metadata or suspicious package upload activities.

Compensating Controls: Users should clear browser sessions after interacting with the platform and maintain strict control over maintainer credentials.

Public Exploit Available: No

This vulnerability poses a significant risk to the integrity of the software supply chain. Administrators of Hackage instances must apply the security patches immediately to prevent unauthorized session access and maintain the trust of the development community.