Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-pr72-8fxw-xx22: Default Credentials in nginx-defender Configuration Files

Impact

This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml, docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.

Who is impacted? All users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.

Patches

The issue is addressed in v1.5.0 and later.

Startup warnings are added if default credentials are detected. Documentation now strongly recommends changing all default passwords before deployment. Patched versions: 1.5.0 and later Will be fully patched in v1.7.0 and later

Workarounds

Users can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:

# config.yaml
auth:
  default_password: "your_strong_password_here"
# docker-compose.yml
- GF_SECURITY_ADMIN_PASSWORD=your_strong_password

Restrict access to the admin interface and use environment variables for secrets.

References

ghsa
#vulnerability#git#nginx#auth#docker

Impact

This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files
config.yaml, docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.

Who is impacted?
All users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.

Patches

The issue is addressed in v1.5.0 and later.

Startup warnings are added if default credentials are detected.
Documentation now strongly recommends changing all default passwords before deployment.
Patched versions:
1.5.0 and later
Will be fully patched in v1.7.0 and later

Workarounds

Users can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:

config.yaml

auth: default_password: “your_strong_password_here”

docker-compose.yml

  • GF_SECURITY_ADMIN_PASSWORD=your_strong_password

Restrict access to the admin interface and use environment variables for secrets.

References

  • Security Configuration Guide
  • Full Security Advisory
  • Library README
  • README

References

  • GHSA-pr72-8fxw-xx22
  • https://nvd.nist.gov/vuln/detail/CVE-2025-55740

ghsa: Latest News

GHSA-4p3p-cr38-v5xp: Omni is Vulnerable to DoS via Empty Create/Update Resource Requests