x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-f9vc-vf3r-pqqq #3825
Description
Advisory GHSA-f9vc-vf3r-pqqq references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/goharbor/harbor |
Description:
Impact
In the Harbor repository information, it is possible to inject code resulting in a stored XSS issue.
Patches
Harbor v2.12.3 Harbor 2.11.3
Workarounds
No
References
Credit
References:
- ADVISORY: GHSA-f9vc-vf3r-pqqq
- ADVISORY: GHSA-f9vc-vf3r-pqqq
- FIX: goharbor/harbor@76c2c5f
- FIX: goharbor/harbor@a13a163
- FIX: goharbor/harbor@f019430
Cross references:
- github.com/goharbor/harbor appears in 21 other report(s):
- data/excluded/GO-2022-1009.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31667, GHSA-xx9w-464f-7h6f #1009) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1010.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31669, GHSA-8c6p-v837-77f6 #1010) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1011.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31666, GHSA-jf8p-3vjh-pq94 #1011) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1012.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31670, GHSA-3637-v6vq-xqqw #1012) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1013.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31671, GHSA-q76q-q8hw-hmpw #1013) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2245.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2019-16919 #2245) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2256.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2019-3990 #2256) LEGACY_FALSE_POSITIVE
- data/reports/GO-2022-0704.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-q9x4-q76f-5h5j #704)
- data/reports/GO-2022-0781.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-33p6-fx42-7rf5 #781)
- data/reports/GO-2022-0785.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-38r5-34mr-mvm7 #785)
- data/reports/GO-2022-0818.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor/src/core/api: GHSA-9wvh-ff5f-xjpj #818)
- data/reports/GO-2022-0853.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-jr34-mff8-pc6f #853)
- data/reports/GO-2022-0863.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-q6cj-6jvq-jwmh #863)
- data/reports/GO-2022-0865.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor/src/core/api: GHSA-q9p8-33wc-h432 #865)
- data/reports/GO-2022-0876.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-rffr-c932-cpxv #876)
- data/reports/GO-2022-0883.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-w4x5-jqq4-qc8x #883)
- data/reports/GO-2023-2109.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-mq6f-5xh5-hgcf #2109)
- data/reports/GO-2024-2915.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2024-22244 #2915)
- data/reports/GO-2024-2916.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2024-22261 #2916)
- data/reports/GO-2024-3013.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-hw28-333w-qxp3 #3013)
- data/reports/GO-2024-3268.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31668 #3268)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/goharbor/harbor
versions:
- introduced: 2.12.0-rc1+incompatible
- fixed: 2.12.4-rc1+incompatible
- introduced: 2.13.0-rc1+incompatible
- fixed: 2.13.1-rc1+incompatible
non_go_versions:
- introduced: TODO (earliest fixed "", vuln range ">= 2.4.0-rc1.1, <= 2.11.2")
- fixed: 2.4.0-rc1.0.20250421072404-a13a16383a41
vulnerable_at: 2.13.0+incompatible
summary: Harbor repository description page has Cross-site Scripting vulnerability in github.com/goharbor/harbor
cves:
- CVE-2025-32019
ghsas:
- GHSA-f9vc-vf3r-pqqq
references:
- advisory: https://github.com/advisories/GHSA-f9vc-vf3r-pqqq
- advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq
- fix: https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058
- fix: https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088
- fix: https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5
notes:
- fix: 'module merge error: could not merge versions of module github.com/goharbor/harbor: invalid or non-canonical semver version (found TODO (earliest fixed "", vuln range ">= 2.4.0-rc1.1, <= 2.11.2"))'
source:
id: GHSA-f9vc-vf3r-pqqq
created: 2025-07-23T15:01:33.162845Z
review_status: UNREVIEWED