CVE-2025-56157

EUVD-2025-204372
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
langgeniusdify
𝑥
≤ 1.5.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://dify.com
https://gist.github.com/Cristliu/216ddbadaf3258498c93d408683ecabd
https://gist.github.com/Cristliu/298f51cbc72c45d91632cd0d65aa8161
https://github.com/langgenius/dify
https://github.com/langgenius/dify/issues/15285
https://github.com/langgenius/dify/pull/15286
https://github.com/langgenius/dify/pull/15286.diff
https://github.com/langgenius/dify/releases/tag/1.0.1
https://gist.github.com/Cristliu/216ddbadaf3258498c93d408683ecabd