The Haskell Security Response Team (SRT) is a volunteer organization within the Haskell Foundation that is building tools and processes to aid the entire Haskell ecosystem in assessing and responding to security risks. In particular, we maintain a database of security advisories that can serve as a data source for security tooling.
This report details the SRT activities for April–June 2025.
The SRT is:
- Fraser Tweedale
- Gautier Di Folco
- Lei Zhu
- Mihai Maruseac
- Montez Fitzpatrick
- Tristan de Cacqueray
How to contact the SRT
For assistance in coordinating a security response to newly discovered, high impact vulnerabilities, contact security-advisories@haskell.org. Due to limited resources, we can only coordinate embargoed disclosures for high impact vulnerabilities affecting current versions of core Haskell tools and libraries, or in other exceptional cases.
You can submit lower-impact or historical vulnerabilities to the advisory database via a pull request to our GitHub repository.
You can also contact the SRT about non-advisory/security-response topics. We prefer public communication where possible. In most cases, GitHub issues are an appropriate forum. But the mail address is there if no other appropriate channel exists.
ZuriHac trip report
Members of the team met in person at ZuriHac. We discussed handling package namespaces to support external registries as part of the advisories we manage (see issue#240). With the help of other attendees, we re-discovered a dependency confusion vulnerability in older versions of cabal-install (see HSEC-2025-0005).
The team also discussed long term project ideas to improve the ecosystem security. We have a few lists scattered in our meeting notes and we’ll collect the ideas in a top level file to be shared with the community.
We would like to thank the ZuriHac organizers for the opportunity to meet with the other members of the ecosystem.
Advisory database
1 contemporary advisory and no historical advisories were published during the reporting period.
2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) remain reserved for embargoed vulnerabilities, which will be published later.
We urge community members to report any known security issues, including historical issues, that are not yet included in the database.
A note on the long-term embargoes
HSEC-2024-0004 and HSEC-2024-0005 have been under embargo for a year now. Because of the long duration, it is appropriate for the SRT to provide some commentary about them.
First, both of these issues affect the same component, but they are otherwise unrelated.
Second, this is not a case of an unresponsive maintainer, but both issues are complex to resolve and the maintainers and stakeholders (including the SRT) are moving forward as best we can with our limited capacity. HSEC-2024-0004—the more severe of the two—is already partially mitigated. We hope (but cannot guarantee) that the mitigations can be completed and this advisory unembargoed in the coming months. HSEC-2024-0005 is less severe and has been deprioritised. We expect it will remain under embargo for longer still.
Finally, we want to assure the community that keeping these issues under embargo until the mitigations are complete is the best course of action, even though it is taking a long time. There are no specific mitigation steps we can reveal to the community at this time. If you have questions or concerns, please get in touch with the SRT.
OCaml Security Team
The OCaml Software Foundation is establishing the OCaml Security Team. They reached out to the Haskell SRT and we have shared our experiences and ideas. Congratulations to the OCaml community on this important step. We look forward to an open exchange of information and ideas between our teams.
Spurious web security report
During the reporting period we received a spurious report (possibly auto-generated) about HTTP directory listing being enabled on https://haskell.org. We assessed the impact as negligible.
In any case, this is a good opportunity to remind our community that Haskell project infrastructure (sites, services, etc) are within the SRT’s purview, in addition to the library ecosystem. If you uncover any actual or potential security issues, please contact the SRT.
Tooling updates
- Gautier implemented a
purl(Package URL) library, and updated theosvlibrary to use this new type. We will publish it on Hackage soon.