A stored Cross-Site Scripting vulnerability in hackage-server allows attackers to execute malicious scripts in the context of other users, potentially leading to session hijacking.

This vulnerability is a stored Cross-Site Scripting (XSS) flaw where unsanitized metadata from .cabal files is rendered directly into HTML href attributes. An attacker can inject malicious payloads that execute when a victim views the affected package page.

With a CVSS score of 9.9, this vulnerability represents a significant risk to the integrity of the development ecosystem. Successful exploitation allows for the theft of user sessions or the redirection of developers to malicious resources, undermining the trust required for software package management.

Immediate Action: Update the hackage-server instance to the version specified by the vendor that includes proper input sanitization.

Proactive Monitoring: Monitor server logs for unusually long or malformed metadata fields within package uploads that may indicate injection attempts.

Compensating Controls: Implement a Content Security Policy (CSP) to restrict the execution of unauthorized scripts, providing a layer of defense against XSS.

Public Exploit Available: No

All administrators of hackage-server infrastructure should verify their current version and apply the vendor-supplied security update immediately. Protecting the integrity of the package metadata is essential to maintaining a secure development pipeline.