CVE-2025-32019
BaseFortify
Publication date: 2025-07-23
Last updated on: 2025-07-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goharbor | harbor | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-32019 is a stored Cross-Site Scripting (XSS) vulnerability in the Harbor container registry. It occurs because the markdown field in the info tab page, specifically the repository description, can be exploited to inject malicious HTML or script code. This malicious code is stored and then executed when other users view the affected repository information. The vulnerability arises from the lack of proper HTML escaping of the repository description before storing or displaying it. [3, 1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious scripts into the repository description field. When other users view this information, the malicious scripts can execute in their browsers, potentially leading to unauthorized access to sensitive information (confidentiality breach). However, it does not affect data integrity or system availability. Exploitation requires low privileges and some user interaction, and the attack can be performed remotely over the network. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Harbor instance is running a vulnerable version (2.11.2 and below, 2.12.0-rc1, or 2.13.0-rc1) and by inspecting the repository description fields for injected HTML or script tags that could indicate stored XSS. Since the vulnerability involves the markdown field in the info tab page, you can attempt to input or look for suspicious script tags or HTML in repository descriptions. There are no specific commands provided in the resources, but you can query the Harbor API or database for repository descriptions containing suspicious HTML or script elements. For example, using a database query to search for '<script>' tags in the repository description field or using curl to fetch repository info and inspect the description field for unescaped HTML. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Harbor to a fixed version where the vulnerability is patched. The vulnerability is fixed in versions 2.11.3, 2.12.3, 2.12.4, and 2.13.1 and above. Additionally, the fix involves sanitizing the repository description field by applying HTML escaping to prevent XSS injection. Until you upgrade, avoid allowing untrusted users to input markdown or HTML in repository descriptions. If possible, sanitize or validate input on your side to prevent malicious scripts. Monitoring and restricting user privileges to limit who can update repository descriptions can also reduce risk. [1, 2, 3, 4]