9.8

CVE-2025-56157

Exploit
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LanggeniusDify SwPlatformnode.js Version <= 1.5.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.79% 0.519
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://github.com/langgenius/dify
Product
https://gist.github.com/Cristliu/216ddbadaf3258498c93d408683ecabd
Third Party Advisory
Exploit
Mitigation
https://gist.github.com/Cristliu/298f51cbc72c45d91632cd0d65aa8161
https://github.com/langgenius/dify/releases/tag/1.0.1
https://github.com/langgenius/dify/issues/15285
https://github.com/langgenius/dify/pull/15286
https://github.com/langgenius/dify/pull/15286.diff