CVE-2025-61776
📋 TL;DR
Dependency-Track versions before 4.13.5 may inadvertently send private NuGet repository credentials and internal component metadata to the public api.nuget.org service. This affects organizations using Dependency-Track with .NET components and custom authenticated NuGet repositories that lack PackageBaseAddress resources.
💻 Affected Systems
- Dependency-Track
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Private NuGet repository credentials are exposed to api.nuget.org, potentially allowing unauthorized access to proprietary packages and internal component metadata disclosure.
Likely Case
Internal component names and versions are leaked to api.nuget.org, revealing proprietary software inventory without credential compromise.
If Mitigated
No data leakage occurs if custom NuGet repositories are disabled or properly configured with PackageBaseAddress resources.
🎯 Exploit Status
Exploitation requires specific configuration conditions and knowledge of the vulnerability. No authentication bypass needed as it's a misconfiguration issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.13.5
Vendor Advisory: https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-83g2-vgqh-mgxc
Restart Required: No
Instructions:
1. Backup current configuration. 2. Stop Dependency-Track service. 3. Update to version 4.13.5. 4. Restart Dependency-Track service. 5. Verify functionality.
🔧 Temporary Workarounds
Disable custom NuGet repositories
allTemporarily disable all custom NuGet repository configurations until patched to prevent credential leakage.
Edit Dependency-Track configuration to remove or disable custom NuGet repository settings
🧯 If You Can't Patch
- Disable all custom NuGet repository configurations immediately
- Invalidate and regenerate credentials for all affected NuGet repositories after eventual patching
🔍 How to Verify
Check if Vulnerable:
Check if running Dependency-Track version < 4.13.5 AND have custom NuGet repositories configured with authentication AND those repositories lack PackageBaseAddress resource.Check Version:
Check Dependency-Track web interface admin panel or API endpoint /api/versionVerify Fix Applied:
Verify Dependency-Track version is 4.13.5 or higher using the version check command.📡 Detection & Monitoring
Log Indicators:
- Unexpected outbound connections to api.nuget.org with Authorization headers
- Failed NuGet repository authentication attempts
Network Indicators:
- Outbound HTTP requests to api.nuget.org containing Authorization headers from Dependency-Track server
SIEM Query:
source_ip=DependencyTrack_Server AND dest_ip=api.nuget.org AND http_header="Authorization:"