CVE-2025-55740

nginx-defender is a high-performance, enterprise-grade Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml and docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections. The issue is addressed in v1.5.0 and later.

nginx-defender is a high-performance, enterprise-grade Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml and docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections. The issue is addressed in v1.5.0 and later.

Default Credentials in nginx-defender Configuration Files in github.com/Anipaleja/nginx-defender

### Impact This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files [config.yaml](https://github.com/Anipaleja/nginx-defender/blob/main/config.yaml), [docker-compose.yml](https://github.com/Anipaleja/nginx-defender/blob/main/docker-compose.yml) contain default credentials (`default_password: "change_me_please"`, `GF_SECURITY_ADMIN_PASSWORD=admin123`). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections. **Who is impacted?** All users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks. ### Patches The issue is addressed in v1.5.0 and later. Startup warnings are added if default credentials are detected. Documentation now strongly recommends changing all default passwords before deployment. Patched versions: 1.5.0 and later **Will be fully patched in v1.7.0 and later** ### Workarounds Users can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment: ```yaml # config.yaml auth: default_password: "your_strong_password_here" ``` ```yml # docker-compose.yml - GF_SECURITY_ADMIN_PASSWORD=your_strong_password ``` Restrict access to the admin interface and use environment variables for secrets. ### References - [Security Configuration Guide](https://github.com/Anipaleja/nginx-defender/blob/main/docs/security-config.md) - [Full Security Advisory](https://github.com/Anipaleja/nginx-defender/security/advisories) - [Library README](https://github.com/Anipaleja/nginx-defender/blob/main/lib/README.md) - [README](https://github.com/Anipaleja/nginx-defender/blob/main/README.md)

nginx-defender es un firewall de aplicaciones web (WAF) de alto rendimiento y nivel empresarial, y un sistema de detección de amenazas diseñado para infraestructuras web modernas. Esta vulnerabilidad de configuración afecta las implementaciones de nginx-defender. Los archivos de configuración de ejemplo config.yaml y docker-compose.yml contienen credenciales predeterminadas (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). Si los usuarios implementan nginx-defender sin cambiar estas credenciales predeterminadas, los atacantes con acceso a la red podrían obtener control administrativo, evadiendo las protecciones de seguridad. El problema se soluciona en la versión 1.5.0 y posteriores.