CVE-2025-61776

Name of the Vulnerable Software and Affected Versions Dependency-Track versions prior to 4.13.5

Description Dependency-Track is a component analysis platform used for managing software supply chain risk. Versions prior to 4.13.5 may inadvertently transmit credentials intended for a private NuGet repository to api.nuget.org through the HTTP Authorization header. This can also result in the disclosure of names and versions of internally marked components to api.nuget.org. This occurs when a Dependency-Track instance includes .NET components, a custom NuGet repository is configured, the repository is configured with authentication credentials, and the repository server does not provide the PackageBaseAddress resource in its service index.

Recommendations Disable custom NuGet repositories until version 4.13.5 is applied. Invalidate previously used credentials. Generate new credentials for use after applying version 4.13.5.