Summary

Previously, Harbor downgraded github.com/gorilla/csrf from v1.7.3 to v1.7.2 to avoid a breaking change. However, v1.7.2 is affected by CVE-2025-24358.
I tried upgrading back to v1.7.3 and manually addressing the breaking change in Harbor, but I then ran into the newer CVE-2025-47909.

Based on the vulnerability write-ups, I tested replacing github.com/gorilla/csrf with filippo.io/csrf/gorilla. In my testing this mitigates both CVEs and does not break Harbor functionality.

Proposed change

Migrate the CSRF middleware from github.com/gorilla/csrf to filippo.io/csrf/gorilla:

- import csrf "github.com/gorilla/csrf"
+ import csrf "filippo.io/csrf/gorilla"

and update go.mod accordingly. No behavioral regressions observed in typical Harbor flows (UI login, API calls, proxy/ingress scenarios) during local verification.

Why this helps

• Avoids exposure to CVE-2025-24358 (present in v1.7.2).
• Avoids the CVE-2025-47909 issue encountered with v1.7.3.
• Keeps the CSRF protection in place without functional impact in my tests.

Next steps

I will open a PR shortly with the migration, the minimal code changes needed to resolve the prior breaking change, and notes on how I verified behavior.

Request

• Please review the approach and share any concerns (compatibility, deployment nuances, additional test cases).
• If there are Harbor-specific constraints that require keeping gorilla/csrf, I’m happy to adjust the PR accordingly.

Thanks!