VYPR
← All advisories
Medium severity4.1OSV Advisory· Published Jul 23, 2025· Updated Apr 15, 2026

CVE-2025-32019

CVE-2025-32019

Description

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Harbor versions ≤2.11.2 and release candidates contain a stored XSS vulnerability in the repository info markdown field, allowing attackers to inject arbitrary JavaScript.

Vulnerability

Harbor, an open source container registry, is vulnerable to stored cross-site scripting (XSS) in the markdown field of the repository info tab. The markdown content is not properly sanitized, allowing injection of malicious HTML/JavaScript. [1][2]

Exploitation

An attacker with write access to a repository (e.g., project admin or developer) can update the repository description with crafted markdown containing XSS payloads. When other users view the repository info, the payload executes in their browser. No user interaction beyond viewing is required. [3]

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the Harbor web interface, potentially enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim user.

Mitigation

The issue is fixed in Harbor versions 2.11.3 and 2.12.3. Users should upgrade immediately. The fix uses HTML escaping for the description field. [4] For older versions, restricting write access to trusted users can reduce risk.

References
  1. GitHub - goharbor/harbor: An open source trusted cloud native registry project that stores, signs, and scans content.
  2. NVD - CVE-2025-32019
  3. XSS vulnerability in the Harbor repository description
  4. update artifact info (#21902) · goharbor/harbor@a13a163

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/goharbor/harborGo
>= 2.12.0-rc1, < 2.12.4-rc12.12.4-rc1
github.com/goharbor/harborGo
>= 2.13.0-rc1, < 2.13.1-rc12.13.1-rc1
github.com/goharbor/harborGo
>= 2.4.0-rc1.1, <= 2.11.2
github.com/goharbor/harborGo
< 2.4.0-rc1.0.20250421072404-a13a16383a412.4.0-rc1.0.20250421072404-a13a16383a41

Affected products

2
  • Harbor/HarborOSV2 versions
    0.1.0, 0.1.1, 0.3.0, …+ 1 more
    • (no CPE)range: 0.1.0, 0.1.1, 0.3.0, …
    • (no CPE)range: <=2.11.2, 2.12.0-rc1, 2.13.0-rc1

Patches

3
76c2c5f7cfd9

[cherry-pick] Update artifact info (#21908)

https://github.com/goharbor/harborstonezdj(Daojun Zhang)May 7, 2025via ghsa
commit
1 file changed · +2 1
  • src/server/v2.0/handler/repository.go+2 1 modified
    @@ -17,6 +17,7 @@ package handler
 import (
 	"context"
 	"fmt"
+	"html/template"
 
 	"github.com/go-openapi/runtime/middleware"
 
@@ -235,7 +236,7 @@ func (r *repositoryAPI) UpdateRepository(ctx context.Context, params operation.U
 	if err := r.repoCtl.Update(ctx, &repomodel.RepoRecord{
 		RepositoryID: repository.RepositoryID,
 		Name:         repository.Name,
-		Description:  params.Repository.Description,
+		Description:  template.HTMLEscapeString(params.Repository.Description),
 	}, "Description"); err != nil {
 		return r.SendError(ctx, err)
 	}
f01943087211

[cherry-pick] Update artifact info (#21907)

https://github.com/goharbor/harborstonezdj(Daojun Zhang)Apr 22, 2025via ghsa
commit
1 file changed · +2 1
  • src/server/v2.0/handler/repository.go+2 1 modified
    @@ -17,6 +17,7 @@ package handler
 import (
 	"context"
 	"fmt"
+	"html/template"
 
 	"github.com/go-openapi/runtime/middleware"
 
@@ -235,7 +236,7 @@ func (r *repositoryAPI) UpdateRepository(ctx context.Context, params operation.U
 	if err := r.repoCtl.Update(ctx, &repomodel.RepoRecord{
 		RepositoryID: repository.RepositoryID,
 		Name:         repository.Name,
-		Description:  params.Repository.Description,
+		Description:  template.HTMLEscapeString(params.Repository.Description),
 	}, "Description"); err != nil {
 		return r.SendError(ctx, err)
 	}
a13a16383a41

update artifact info (#21902)

https://github.com/goharbor/harborstonezdj(Daojun Zhang)Apr 21, 2025via ghsa
commit
1 file changed · +2 1
  • src/server/v2.0/handler/repository.go+2 1 modified
    @@ -17,6 +17,7 @@ package handler
 import (
 	"context"
 	"fmt"
+	"html/template"
 
 	"github.com/go-openapi/runtime/middleware"
 
@@ -235,7 +236,7 @@ func (r *repositoryAPI) UpdateRepository(ctx context.Context, params operation.U
 	if err := r.repoCtl.Update(ctx, &repomodel.RepoRecord{
 		RepositoryID: repository.RepositoryID,
 		Name:         repository.Name,
-		Description:  params.Repository.Description,
+		Description:  template.HTMLEscapeString(params.Repository.Description),
 	}, "Description"); err != nil {
 		return r.SendError(ctx, err)
 	}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.