CVE-2025-64758: 
JavaScript vulnerability analysis and mitigation

CVE-2025-64758 affects @dependencytrack/frontend, a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform. The vulnerability was discovered in versions 4.12.0 through 4.13.5, where the application failed to properly sanitize HTML content in the welcome message feature, potentially allowing cross-site scripting attacks. The issue was disclosed on November 17, 2025 (GitHub Advisory).

The vulnerability stems from insufficient HTML sanitization in the welcome message feature introduced in version 4.12.0. When rendering the welcome message on the login page, the application did not properly sanitize HTML content, enabling arbitrary JavaScript execution. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity but requiring high privileges and user interaction (GitHub Advisory).

The vulnerability allows users with SYSTEM_CONFIGURATION permission (administrators) to execute arbitrary JavaScript code that affects users browsing to the login page. This creates a potential for persistent cross-site scripting attacks, potentially compromising the confidentiality and integrity of user data (GitHub Advisory).

The vulnerability has been fixed in version 4.13.6 through the implementation of DOMPurify sanitization for welcome message content. Users are advised to upgrade to version 4.13.6 or later to address this security issue (GitHub PR).

The vulnerability was responsibly disclosed by Jonas Benjamin Friedli and promptly addressed by the Dependency-Track team. The fix was implemented through a pull request that received positive community feedback and was merged into the main codebase (GitHub PR).