CVE-2025-64758
📋 TL;DR
Dependency-Track versions 4.12.0 through 4.13.5 contain a stored cross-site scripting (XSS) vulnerability in the login page welcome message feature. Administrators with SYSTEM_CONFIGURATION permission can inject malicious JavaScript that executes when users visit the login page. This affects all Dependency-Track deployments using vulnerable versions.
💻 Affected Systems
- Dependency-Track frontend
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious administrator could steal login credentials, session tokens, or redirect users to phishing sites via JavaScript execution on the login page.
Likely Case
Privilege escalation or credential theft if an administrator account is compromised or malicious.
If Mitigated
Limited impact with proper administrator vetting and monitoring, as exploitation requires administrative privileges.
🎯 Exploit Status
Exploitation requires SYSTEM_CONFIGURATION permission (administrator access). Attack vector is stored XSS via welcome message configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.13.6
Vendor Advisory: https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update Dependency-Track to version 4.13.6 or later. 3. Restart the Dependency-Track service. 4. Verify the welcome message HTML sanitization is functioning.
🔧 Temporary Workarounds
Disable welcome message feature
allRemove or clear the welcome message configuration to prevent XSS injection.
Navigate to Administration > System Configuration > Interface > Welcome Message and clear the content
Restrict SYSTEM_CONFIGURATION permissions
allLimit administrative access to only trusted personnel.
Review and audit users with SYSTEM_CONFIGURATION permission in Administration > Access Management
🧯 If You Can't Patch
- Implement strict monitoring of administrator activities and welcome message changes.
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in login page responses.
🔍 How to Verify
Check if Vulnerable:
Check Dependency-Track version via web interface footer or API endpoint /api/version. If version is between 4.12.0 and 4.13.5 inclusive, system is vulnerable.Check Version:
curl -s http://your-dtrack-instance/api/version | grep versionVerify Fix Applied:
After updating to 4.13.6+, test welcome message field with XSS payload like <script>alert('test')</script> - it should be sanitized and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to system configuration, particularly welcome message updates
- Administrator account performing unexpected configuration changes
Network Indicators:
- JavaScript execution attempts on login page
- Suspicious outbound connections from login page
SIEM Query:
source="dependency-track" AND (event="CONFIGURATION_UPDATE" AND config_key="welcome.message")