We've recently got a vulnerability report saying that one of our HTML forms in one of the internal applications is not CSRF protected. At first, we could not immediately reproduce it manually using the developer tools looking at the headers and cookies finding the XSRF-TOKEN
present in the headers.
But then, we reproduced the problem in the incognito tab or a "clean" browser. The problem was in the very first login attempt only. It appears that at the moment the first login request is posted, the client does not yet have the XSRF token since this is the very first interaction between the client and the server.
Is it still a vulnerability and should be addressed if only reproduced on the very first login request? How is this kind of problem generally addressed? There probably needs to be some sort of client-server interaction before the login form submission so that the client would get the XSRF token beforehand.