hsec-2025-0005
Vulnerability from osv_haskell
Published
2025-11-14 14:45
Modified
2025-11-14 14:45
Summary
cabal-install dependency confusion
Details

cabal-install dependency confusion

For cabal-install < 3.4.0.0 and where multiple repositories are configured, the resolver picks the highest available version across all repositories. Where a package is only defined in a private repository, this behaviour leads to a dependency confusion supply chain vulnerability. If the private package name becomes known, a malicious actor can claim the name in the public repository and publish a malicious version at a higher version number.

Default cabal-install configurations that only use the hackage.haskell.org repository are not affected. Configurations that use curated private repositories exclusively are also not affected.

Mitigations

cabal-install version 3.4.0.0 and higher provide an override option in the repository configuration. It marks the associated repository as canonical for all packages defined in that repository. No other repositories will be considered. For example:

-- For packages in repo.example.com,
-- only versions in repo.example.com are considered
active-repositories:
  , hackage.haskell.org
  , repo.example.com:override

Users and organisations using private repositories that contain private packages in addition to public repositories MUST use the override option to prevent dependency confusion attacks.

Alternatively, projects and organisations can run a private instance of hackage-server and carefully curate and review its contents. Using that instance exclusively defeats supply chain attacks including dependency confusion. For cabal-install < 3.4 and where using multiple repositories, this is the only effective mitigation against dependency confusion attacks.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2025/HSEC-2025-0005.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2025/HSEC-2025-0005.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "cabal-install"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0.0"
            },
            {
              "fixed": "3.4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "database_specific": {
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
  },
  "details": "# `cabal-install` dependency confusion\n\nFor **cabal-install \u003c 3.4.0.0** and where multiple repositories are\nconfigured, the resolver picks the highest available version across\nall repositories.  Where a package is only defined in a private\nrepository, this behaviour leads to a [*dependency confusion*][blog]\nsupply chain vulnerability.  If the private package name becomes\nknown, a malicious actor can claim the name in the public repository\nand publish a malicious version at a higher version number.\n\nDefault `cabal-install` configurations that only use the\n`hackage.haskell.org` repository are not affected.  Configurations\nthat use curated private repositories **exclusively** are also not\naffected.\n\n[blog]: https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html\n\n\n## Mitigations\n\n*cabal-install* version **3.4.0.0** and higher provide an `override`\noption in the repository configuration.  It marks the associated\nrepository as canonical for all packages defined in that repository.\nNo other repositories will be considered.  For example:\n\n```\n-- For packages in repo.example.com,\n-- only versions in repo.example.com are considered\nactive-repositories:\n  , hackage.haskell.org\n  , repo.example.com:override\n```\n\nUsers and organisations using private repositories that contain\nprivate packages in addition to public repositories **MUST** use the\n`override` option to prevent dependency confusion attacks.\n\nAlternatively, projects and organisations can run a private instance\nof *hackage-server* and carefully curate and review its contents.\nUsing that instance exclusively defeats supply chain attacks\nincluding *dependency confusion*.  For *cabal-install \u003c 3.4* and\nwhere using multiple repositories, this is the only effective\nmitigation against dependency confusion attacks.\n",
  "id": "HSEC-2025-0005",
  "modified": "2025-11-14T14:45:34Z",
  "published": "2025-11-14T14:45:34Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "cabal-install dependency confusion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.