HSEC-2025-0004

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2025/HSEC-2025-0004.json

JSON Data

https://api.osv.dev/v1/vulns/HSEC-2025-0004

Published

2025-05-06T11:30:13Z

Modified

2025-05-06T11:58:44.148337Z

Summary

Broken Path Sanitization in spacecookie Library

Details

Broken Path Sanitization in spacecookie Library

The spacecookie library exposes the functions sanitizePath and sanitizeIfNotUrl intended to remove .. components from paths which can be used to prevent path traversal attacks. Due to erroneous comparison code, this elimination is not actually performed which has been remedied in version 1.0.0.3 by properly comparing using equalFilePath.

Any user of those respective functions of any version of spacecookie should upgrade to 1.0.0.3 or later. Note that the spacecookie server executable included in the same package is not affected by the problem since a separate check would reject any malicious path that gets by sanitizePath.

References

https://github.com/sternenseemann/spacecookie/commit/2854a8a70833e7abdeeff3c02596a6f2a2f35c61

Affected packages

Hackage / spacecookie

Package

Name: spacecookie
Purl: pkg:hackage/spacecookie

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.2.0.0

Fixed

1.0.0.3

Affected versions

0.*

0.2.0.1

0.2.1.0

0.2.1.1

0.2.1.2

1.*

1.0.0.0

1.0.0.1

1.0.0.2