Skip to content

HSEC-2025-0005: cabal-install dependency confusion #281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
blackheaven merged 1 commit into from
Jul 13, 2025
Merged

HSEC-2025-0005: cabal-install dependency confusion #281

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions advisories/hackage/cabal-install/HSEC-2025-0005.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
```toml
[advisory]
id = "HSEC-2025-0005"
cwe = [427]
keywords = ["hackage", "supply-chain", "historical"]

[[affected]]
package = "cabal-install"
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"
[[affected.versions]]
fixed = "3.4.0.0"
introduced = "1.0.0.0"

[[references]]
type = "REPORT"
url = "https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html"
```

# `cabal-install` dependency confusion

For **cabal-install < 3.4.0.0** and where multiple repositories are
configured, the resolver picks the highest available version across
all repositories. Where a package is only defined in a private
repository, this behaviour leads to a [*dependency confusion*][blog]
supply chain vulnerability. If the private package name becomes
known, a malicious actor can claim the name in the public repository
and publish a malicious version at a higher version number.

Default `cabal-install` configurations that only use the
`hackage.haskell.org` repository are not affected. Configurations
that use curated private repositories **exclusively** are also not
affected.

[blog]: https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html


## Mitigations

*cabal-install* version **3.4.0.0** and higher provide an `override`
option in the repository configuration. It marks the associated
repository as canonical for all packages defined in that repository.
No other repositories will be considered. For example:

```
-- For packages in repo.example.com,
-- only versions in repo.example.com are considered
active-repositories:
, hackage.haskell.org
, repo.example.com:override
```

Users and organisations using private repositories that contain
private packages in addition to public repositories **MUST** use the
`override` option to prevent dependency confusion attacks.

Alternatively, projects and organisations can run a private instance
of *hackage-server* and carefully curate and review its contents.
Using that instance exclusively defeats supply chain attacks
including *dependency confusion*. For *cabal-install < 3.4* and
where using multiple repositories, this is the only effective
mitigation against dependency confusion attacks.