CVE-2026-40471

描述

# Hackage CSRF vulnerability * Vulnerable File: `src/Distribution/Server/Features/Votes.hs` (example) * Impact: can forge requests through XSS hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts). To fix the issue, a new CSRF middleware checks all requests. Requests using HTTP methods other than `GET`, `HEAD` and `OPTIONS` are subject to a check of the [`Sec-Fetch-Site` header][sec-fetch-site], which is [widely supported by modern browsers][caniuse-sec-fetch-site]. Cross-site requests are `403 Forbidden`. Certain approved and expected non-browser user agents (e.g. `cabal-install/*`) are exempted from the check, as are requests using token authentication (`Authorization: X-ApiKey ...`). The fix has been [committed][commit] and deployed on `hackage.haskell.org`. ## Acknowledgements - **Joshua Rogers** (https://joshua.hu/) of AISLE (https://aisle.com/) reported the issue to the Haskell Security Response Team. - **Spenser Janssen** implemented the fix, and **Fraser Tweedale** reviewed it. - **Gershom Bazerman** merged the fix and deployed it to `hackage.haskell.org`. [sec-fetch-site]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site [caniuse-sec-fetch-site]: https://caniuse.com/?search=sec-fetch-site [commit]: https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058

受影響套件(1)

• Hackage/hackage-server>= 0.1

CVSS 分數

參考連結(1)

• PATCHhttps://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058