GHSA-pr72-8fxw-xx22
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pr72-8fxw-xx22
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-pr72-8fxw-xx22/GHSA-pr72-8fxw-xx22.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pr72-8fxw-xx22
- Aliases
-
- CVE-2025-55740
- Published
- 2025-08-19T22:24:40Z
- Modified
- 2025-08-19T22:42:19.688492Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Default Credentials in nginx-defender Configuration Files
- Details
-
Impact
This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml, docker-compose.yml contain default credentials (
default_password: "change_me_please",GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.Who is impacted? All users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.
Patches
The issue is addressed in v1.5.0 and later.
Startup warnings are added if default credentials are detected. Documentation now strongly recommends changing all default passwords before deployment. Patched versions: 1.5.0 and later Will be fully patched in v1.7.0 and later
Workarounds
Users can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:
# config.yaml auth: default_password: "your_strong_password_here"# docker-compose.yml - GF_SECURITY_ADMIN_PASSWORD=your_strong_passwordRestrict access to the admin interface and use environment variables for secrets.
References
- Database specific
{ "github_reviewed_at": "2025-08-19T22:24:40Z", "severity": "MODERATE", "cwe_ids": [ "CWE-1392" ], "nvd_published_at": "2025-08-19T20:15:35Z", "github_reviewed": true }- References
Affected packages
Go / github.com/Anipaleja/nginx-defender
Package
- Name
- github.com/Anipaleja/nginx-defender
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/Anipaleja/nginx-defender