GHSA-PR72-8FXW-XX22

Vulnerability from github – Published: 2025-08-19 22:24 – Updated: 2025-08-29 20:37
VLAI?
Summary
Default Credentials in nginx-defender Configuration Files
Details

Impact

This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml, docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.

Who is impacted? All users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.

Patches

The issue is addressed in v1.5.0 and later.

Startup warnings are added if default credentials are detected. Documentation now strongly recommends changing all default passwords before deployment. Patched versions: 1.5.0 and later Will be fully patched in v1.7.0 and later

Workarounds

Users can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:

# config.yaml
auth:
  default_password: "your_strong_password_here"

# docker-compose.yml
- GF_SECURITY_ADMIN_PASSWORD=your_strong_password

Restrict access to the admin interface and use environment variables for secrets.

References

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/Anipaleja/nginx-defender"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-19T22:24:40Z",
    "nvd_published_at": "2025-08-19T20:15:35Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis is a configuration vulnerability affecting nginx-defender deployments. Example configuration files \n[config.yaml](https://github.com/Anipaleja/nginx-defender/blob/main/config.yaml), [docker-compose.yml](https://github.com/Anipaleja/nginx-defender/blob/main/docker-compose.yml) contain default credentials (`default_password: \"change_me_please\"`, `GF_SECURITY_ADMIN_PASSWORD=admin123`). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.\n\n**Who is impacted?**\nAll users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.\n\n### Patches\nThe issue is addressed in v1.5.0 and later.\n\nStartup warnings are added if default credentials are detected.\nDocumentation now strongly recommends changing all default passwords before deployment.\nPatched versions:\n1.5.0 and later\n**Will be fully patched in v1.7.0 and later**\n\n### Workarounds\nUsers can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:\n```yaml\n# config.yaml\nauth:\n  default_password: \"your_strong_password_here\"\n```\n\n```yml\n# docker-compose.yml\n- GF_SECURITY_ADMIN_PASSWORD=your_strong_password\n```\nRestrict access to the admin interface and use environment variables for secrets.\n\n### References\n- [Security Configuration Guide](https://github.com/Anipaleja/nginx-defender/blob/main/docs/security-config.md)\n- [Full Security Advisory](https://github.com/Anipaleja/nginx-defender/security/advisories)\n- [Library README](https://github.com/Anipaleja/nginx-defender/blob/main/lib/README.md)\n- [README](https://github.com/Anipaleja/nginx-defender/blob/main/README.md)",
  "id": "GHSA-pr72-8fxw-xx22",
  "modified": "2025-08-29T20:37:35Z",
  "published": "2025-08-19T22:24:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Anipaleja/nginx-defender/security/advisories/GHSA-pr72-8fxw-xx22"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55740"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Anipaleja/nginx-defender"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3896"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Default Credentials in nginx-defender Configuration Files"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.