Credential Exposure in Dependency-Track by Dependency-Track
CVE-2025-61776

4.7MEDIUM

Key Information:

Vendor: Dependencytrack
Status: Dependency-track
Vendor: CVE Published:; 7 October 2025

🔔 Create Dependencytrack Vulnerability Alert

What is CVE-2025-61776?

Prior to version 4.13.5, Dependency-Track may inadvertently expose credentials intended for private NuGet repositories by sending them to api.nuget.org through the HTTP Authorization header. This may occur if the Dependency-Track instance incorporates .NET components, uses a custom NuGet repository with authentication, and the repository server lacks a PackageBaseAddress in its service index. Users are advised to disable custom NuGet repositories until the patch is applied, revoke previously used credentials, and generate new ones for future use post-patch.

Affected Version(s)

dependency-track < 4.13.5

References

https://github.com/DependencyTrack/dependency-track/secur...

x_refsource_CONFIRM

https://github.com/DependencyTrack/dependency-track/relea...

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 7, 2025
Vulnerability Reserved
Sep 30, 2025

JSON