CVE-2025-61776
BaseFortify
Publication date: 2025-10-07
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dependency-track | dependency-track | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Dependency-Track prior to version 4.13.5 causes the software to potentially send authentication credentials intended for a private NuGet repository to the public api.nuget.org via the HTTP Authorization header. Additionally, it may disclose names and versions of components marked as internal to api.nuget.org. This occurs under specific conditions involving .NET components, custom NuGet repositories configured with authentication, and the absence of a PackageBaseAddress resource in the repository's service index.
How can this vulnerability impact me? :
The vulnerability can lead to unintended disclosure of sensitive authentication credentials and internal component information to a public server (api.nuget.org). This could allow unauthorized parties to gain insight into internal software components and potentially misuse the leaked credentials, increasing the risk of supply chain attacks or unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include disabling custom NuGet repositories until Dependency-Track is updated to version 4.13.5 or later, invalidating any previously used credentials, and generating new credentials to be used after applying the patch.