ghsa-pr72-8fxw-xx22
Vulnerability from github
Published
2025-08-19 22:24
Modified
2025-08-29 20:37
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Default Credentials in nginx-defender Configuration Files
Details

Impact

This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml, docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.

Who is impacted? All users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.

Patches

The issue is addressed in v1.5.0 and later.

Startup warnings are added if default credentials are detected. Documentation now strongly recommends changing all default passwords before deployment. Patched versions: 1.5.0 and later Will be fully patched in v1.7.0 and later

Workarounds

Users can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment: ```yaml

config.yaml

auth: default_password: "your_strong_password_here" ```

```yml

docker-compose.yml

  • GF_SECURITY_ADMIN_PASSWORD=your_strong_password ``` Restrict access to the admin interface and use environment variables for secrets.

References

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/Anipaleja/nginx-defender"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-19T22:24:40Z",
    "nvd_published_at": "2025-08-19T20:15:35Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis is a configuration vulnerability affecting nginx-defender deployments. Example configuration files \n[config.yaml](https://github.com/Anipaleja/nginx-defender/blob/main/config.yaml), [docker-compose.yml](https://github.com/Anipaleja/nginx-defender/blob/main/docker-compose.yml) contain default credentials (`default_password: \"change_me_please\"`, `GF_SECURITY_ADMIN_PASSWORD=admin123`). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.\n\n**Who is impacted?**\nAll users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.\n\n### Patches\nThe issue is addressed in v1.5.0 and later.\n\nStartup warnings are added if default credentials are detected.\nDocumentation now strongly recommends changing all default passwords before deployment.\nPatched versions:\n1.5.0 and later\n**Will be fully patched in v1.7.0 and later**\n\n### Workarounds\nUsers can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:\n```yaml\n# config.yaml\nauth:\n  default_password: \"your_strong_password_here\"\n```\n\n```yml\n# docker-compose.yml\n- GF_SECURITY_ADMIN_PASSWORD=your_strong_password\n```\nRestrict access to the admin interface and use environment variables for secrets.\n\n### References\n- [Security Configuration Guide](https://github.com/Anipaleja/nginx-defender/blob/main/docs/security-config.md)\n- [Full Security Advisory](https://github.com/Anipaleja/nginx-defender/security/advisories)\n- [Library README](https://github.com/Anipaleja/nginx-defender/blob/main/lib/README.md)\n- [README](https://github.com/Anipaleja/nginx-defender/blob/main/README.md)",
  "id": "GHSA-pr72-8fxw-xx22",
  "modified": "2025-08-29T20:37:35Z",
  "published": "2025-08-19T22:24:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Anipaleja/nginx-defender/security/advisories/GHSA-pr72-8fxw-xx22"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55740"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Anipaleja/nginx-defender"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3896"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Default Credentials in nginx-defender Configuration Files"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.