Dependency-Track is a software composition analysis platform designed to help organizations manage risks in their software supply chains by tracking component usage and vulnerabilities. CVE-2025-61776 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting Dependency-Track versions prior to 4.13.5. The flaw arises when Dependency-Track instances that include .NET components are configured to use custom NuGet repositories requiring authentication, and these repositories do not provide a PackageBaseAddress resource in their service index. Under these conditions, Dependency-Track may mistakenly send the authentication credentials intended for the private NuGet repository to the public NuGet API endpoint (api.nuget.org) via the HTTP Authorization header. This results in unintended credential exposure to an external service. Furthermore, the vulnerability causes disclosure of internal component names and versions marked as internal, potentially leaking sensitive information about the software supply chain. The vulnerability requires no privileges to exploit but does require user interaction, such as triggering Dependency-Track to query the NuGet repositories. The CVSS 3.1 base score is 4.7 (medium), reflecting low impact on confidentiality with no impact on integrity or availability. The scope is changed (S:C) because the vulnerability affects resources beyond the initially vulnerable component. The issue has been addressed in Dependency-Track version 4.13.5. Workarounds include disabling custom NuGet repositories until patching is applied and rotating any credentials previously used to prevent unauthorized access. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability primarily risks the confidentiality of authentication credentials used for private NuGet repositories. Leakage of these credentials to a public endpoint could allow unauthorized parties to access private package repositories, potentially exposing proprietary or sensitive software components. This exposure could facilitate further supply chain attacks or intellectual property theft. While the vulnerability does not directly impact system integrity or availability, the compromise of private repository credentials undermines trust in the software supply chain and could lead to indirect impacts if attackers leverage the access for malicious purposes. Organizations heavily reliant on .NET components and custom NuGet repositories in their development pipelines are particularly vulnerable. The risk is heightened for enterprises with stringent compliance requirements around data protection and software integrity, such as those in finance, healthcare, and critical infrastructure sectors prevalent in Europe.

European organizations should immediately upgrade Dependency-Track instances to version 4.13.5 or later to remediate the vulnerability. Until patching is complete, disable all custom NuGet repositories configured with authentication to prevent credential leakage. Organizations must invalidate and rotate any credentials previously used with these custom repositories to mitigate the risk of unauthorized access. Review and audit Dependency-Track configurations to ensure no unintended credential exposure occurs. Implement network monitoring to detect unusual outbound traffic to api.nuget.org or other unexpected endpoints. Enforce strict access controls and logging around Dependency-Track and NuGet repository credentials. Additionally, consider isolating Dependency-Track instances within secure network segments to limit exposure. Educate development and DevOps teams about the risk and ensure secure handling of repository credentials. Finally, integrate Dependency-Track updates into regular patch management processes to prevent recurrence.