VYPR
← All advisories
Medium severity4.8NVD Advisory· Published Nov 17, 2025· Updated Apr 15, 2026

CVE-2025-64758

CVE-2025-64758

Description

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Dependency-Track frontend allows administrators with SYSTEM_CONFIGURATION permission to inject arbitrary JavaScript via unsanitized welcome message HTML.

The welcome message feature in Dependency-Track frontend, a Single Page Application (SPA), allows users with the SYSTEM_CONFIGURATION permission (administrators) to set HTML content displayed on the login page for branding purposes. Prior to version 4.13.6, this HTML was not sanitized before rendering, enabling the injection of arbitrary JavaScript [1][4].

An attacker with the SYSTEM_CONFIGURATION permission can craft a malicious welcome message containing JavaScript. When any user visits the login page, the script executes in their browser without requiring additional authentication from the victim [1].

Successful exploitation leads to arbitrary JavaScript execution in the context of the login page, potentially allowing theft of credentials, session hijacking, or other client-side attacks [2].

The issue has been fixed in version 4.13.6 by sanitizing the welcome message with DOMPurify before rendering [1][4]. Users are advised to upgrade to the latest version to mitigate the risk.

References
  1. Run welcome message through DOMPurify before rendering it by nscuro · Pull Request #1378 · DependencyTrack/frontend
  2. NVD - CVE-2025-64758
  3. Merge pull request #1378 from nscuro/welcome-message-dompurify · DependencyTrack/frontend@8fd757b

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@dependencytrack/frontendnpm
>= 4.12.0, < 4.13.64.13.6

Affected products

1

Patches

1
8fd757be612e

Merge pull request #1378 from nscuro/welcome-message-dompurify

https://github.com/DependencyTrack/frontendNiklasNov 12, 2025via ghsa
commit
2 files changed · +10 4
  • src/views/administration/configuration/WelcomeMessage.vue+7 2 modified
    @@ -46,7 +46,7 @@
             <div slot="header">
               <h4>{{ $t('admin.preview') }}</h4>
             </div>
-            <p><span v-html="welcomeMessage" /></p>
+            <p><span v-html="sanitizedWelcomeMessage" /></p>
           </b-card>
         </b-col>
       </b-row>
@@ -58,6 +58,7 @@ import axios from 'axios';
 import { Switch as cSwitch } from '@coreui/vue';
 import configPropertyMixin from '../mixins/configPropertyMixin';
 import common from '../../../shared/common';
+import DOMPurify from 'dompurify';
 
 export default {
   mixins: [configPropertyMixin],
@@ -83,7 +84,11 @@ export default {
       this.isWelcomeMessage = common.toBoolean(response.data.propertyValue);
     });
   },
-  computed: {},
+  computed: {
+    sanitizedWelcomeMessage() {
+      return DOMPurify.sanitize(this.welcomeMessage);
+    },
+  },
   methods: {
     updateCode() {
       const editor = this.$refs.editor;
  • src/views/pages/Login.vue+3 2 modified
    @@ -111,6 +111,7 @@ import EventBus from '../../shared/eventbus';
 import { getRedirectUrl, getContextPath } from '../../shared/utils';
 const qs = require('querystring');
 import common from '../../shared/common';
+import DOMPurify from 'dompurify';
 
 export default {
   name: 'Login',
@@ -156,8 +157,8 @@ export default {
         if (this.isWelcomeMessage) {
           let message_url = `${this.$api.BASE_URL}/${this.$api.URL_CONFIG_PROPERTY}/public/general/welcome.message.html`;
           axios.get(message_url).then((response) => {
-            this.welcomeMessage = decodeURIComponent(
-              response.data.propertyValue,
+            this.welcomeMessage = DOMPurify.sanitize(
+              decodeURIComponent(response.data.propertyValue),
             );
           });
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.