Skip to main content

CVE-2025-32019: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in goharbor harbor

Medium
VulnerabilityCVE-2025-32019cvecve-2025-32019cwe-79
Published: Wed Jul 23 2025 (07/23/2025, 20:38:10 UTC)
Source: CVE Database V5
Vendor/Project: goharbor
Product: harbor

Description

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.

AI-Powered Analysis

AILast updated: 07/23/2025, 21:03:21 UTC

Technical Analysis

CVE-2025-32019 is a medium-severity cross-site scripting (XSS) vulnerability affecting the open source cloud native registry project Harbor, maintained by goharbor. Harbor is widely used for storing, signing, and scanning container images in cloud native environments. The vulnerability exists in versions 2.11.2 and below, as well as certain release candidate versions 2.12.0-rc1 to below 2.12.4-rc1 and 2.13.0-rc1 to below 2.13.1-rc1. The issue arises from improper neutralization of user input in the markdown field on the info tab page, allowing an attacker with limited privileges (requires authentication) to inject malicious scripts that execute in the context of other users viewing the page. The CVSS 3.1 base score is 4.1, reflecting a network attack vector with low complexity, requiring privileges and user interaction, and impacting confidentiality with no effect on integrity or availability. The vulnerability scope is changed (S:C), meaning the impact can extend beyond the vulnerable component. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged to steal session tokens, perform actions on behalf of users, or conduct phishing attacks within the Harbor web interface. The issue is fixed in versions 2.11.3 and 2.12.3 and later. Organizations running affected versions should upgrade promptly to mitigate risk. Given Harbor's role in container image management, exploitation could indirectly affect supply chain security and trust in container deployments.

Potential Impact

For European organizations, the impact of this XSS vulnerability in Harbor can be significant, especially for enterprises relying on containerized applications and DevOps pipelines. Harbor is often integrated into CI/CD workflows and used to manage container images in private registries. Exploitation could lead to session hijacking or unauthorized actions within the Harbor UI, potentially exposing sensitive metadata or enabling lateral movement within the development environment. This could undermine the integrity of container image management and introduce risks to software supply chain security. Although the vulnerability does not directly compromise container images or their contents, the ability to execute scripts in the Harbor interface can facilitate social engineering or privilege escalation attacks. Organizations in regulated sectors such as finance, healthcare, and critical infrastructure in Europe could face compliance and operational risks if this vulnerability is exploited. The medium severity score suggests a moderate risk level, but the strategic importance of container registries in modern cloud native environments elevates the potential impact.

Mitigation Recommendations

1. Immediate upgrade to Harbor versions 2.11.3, 2.12.3, or later stable releases where the vulnerability is patched. 2. Implement strict access controls and role-based permissions in Harbor to limit who can edit or input markdown content in the info tab. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting the markdown field. 4. Conduct regular security audits and penetration testing focused on the Harbor web interface to identify any residual or related vulnerabilities. 5. Educate users and administrators about phishing risks and suspicious behavior that could result from XSS exploitation. 6. Monitor Harbor logs for unusual activity or repeated attempts to inject scripts. 7. If upgrading immediately is not feasible, consider disabling or restricting markdown input fields temporarily as a stopgap measure. 8. Integrate Harbor security updates into the organization's patch management and container security policies to ensure timely remediation of future vulnerabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-04-01T21:57:32.954Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68814a71ad5a09ad0027bdef

Added to database: 7/23/2025, 8:47:45 PM

Last enriched: 7/23/2025, 9:03:21 PM

Last updated: 7/25/2025, 12:34:38 AM

Views: 5

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats