Skip to content

Default Credentials in nginx-defender Configuration Files

Moderate severity GitHub Reviewed Published Aug 19, 2025 in Anipaleja/nginx-defender • Updated Aug 29, 2025

Package

gomod github.com/Anipaleja/nginx-defender (Go)

Affected versions

< 1.5.0

Patched versions

1.5.0

Description

Impact

This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files
config.yaml, docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.

Who is impacted?
All users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.

Patches

The issue is addressed in v1.5.0 and later.

Startup warnings are added if default credentials are detected.
Documentation now strongly recommends changing all default passwords before deployment.
Patched versions:
1.5.0 and later
Will be fully patched in v1.7.0 and later

Workarounds

Users can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:

# config.yaml
auth:
  default_password: "your_strong_password_here"
# docker-compose.yml
- GF_SECURITY_ADMIN_PASSWORD=your_strong_password

Restrict access to the admin interface and use environment variables for secrets.

References

References

@Anipaleja Anipaleja published to Anipaleja/nginx-defender Aug 19, 2025
Published by the National Vulnerability Database Aug 19, 2025
Published to the GitHub Advisory Database Aug 19, 2025
Reviewed Aug 19, 2025
Last updated Aug 29, 2025

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(11th percentile)

Weaknesses

Use of Default Credentials

The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. Learn more on MITRE.

CVE ID

CVE-2025-55740

GHSA ID

GHSA-pr72-8fxw-xx22

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.