CVE-2025-32019
published 2025-07-23CVE-2025-32019: Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1…
PriorityP420medium4.1CVSS 3.1
AVNACLPRLUIRSCCLINAN
EPSS
0.30%
21.9th percentile
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 0 < 2.4.0-rc1.0.20250421072404-a13a16383a41 | 2.4.0-rc1.0.20250421072404-a13a16383a41 |
| github.com | goharbor_harbor | >= 2.12.0-rc1 < 2.12.4-rc1 | 2.12.4-rc1 |
| github.com | goharbor_harbor | >= 2.12.0-rc1+incompatible < 2.12.4-rc1+incompatible | 2.12.4-rc1+incompatible |
| github.com | goharbor_harbor | >= 2.13.0-rc1 < 2.13.1-rc1 | 2.13.1-rc1 |
| github.com | goharbor_harbor | >= 2.13.0-rc1+incompatible < 2.13.1-rc1+incompatible | 2.13.1-rc1+incompatible |
| github.com | goharbor_harbor | 2.4.0-rc1.1 – 2.11.2 | — |
| goharbor | harbor | <= 2.4.0-rc1.1, < 2.11.3 | — |
| goharbor | harbor | — | — |
| goharbor | harbor | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Harbor repository description page has Cross-site Scripting vulnerability in github.com/goharbor/harbor
osv·2025-07-29
CVE-2025-32019 Harbor repository description page has Cross-site Scripting vulnerability in github.com/goharbor/harbor
Harbor repository description page has Cross-site Scripting vulnerability in github.com/goharbor/harbor
Harbor repository description page has Cross-site Scripting vulnerability in github.com/goharbor/harbor.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/goharbor/harbor before v2.4.0-rc1.0.20250421072404-a13a16383a41.
GHSA
Harbor repository description page has Cross-site Scripting vulnerability
ghsa·2025-07-23
CVE-2025-32019 [MEDIUM] CWE-79 Harbor repository description page has Cross-site Scripting vulnerability
Harbor repository description page has Cross-site Scripting vulnerability
### Impact
In the Harbor repository information, it is possible to inject code resulting in a stored XSS issue.
### Patches
Harbor v2.12.3 Harbor 2.11.3
### Workarounds
No
### References
### Credit
[email protected]
OSV
Harbor repository description page has Cross-site Scripting vulnerability
osv·2025-07-23
CVE-2025-32019 [MEDIUM] Harbor repository description page has Cross-site Scripting vulnerability
Harbor repository description page has Cross-site Scripting vulnerability
### Impact
In the Harbor repository information, it is possible to inject code resulting in a stored XSS issue.
### Patches
Harbor v2.12.3 Harbor 2.11.3
### Workarounds
No
### References
### Credit
[email protected]
No detection rules found.
No public exploits indexed.
https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq
2025-07-23
Published