CVE-2025-56157
Severity CVSS v4.0:
Pending analysis
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
18/12/2025
Last modified:
29/01/2026
Description
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:langgenius:dify:*:*:*:*:*:node.js:*:* | 1.5.1 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://dify.com
- https://gist.github.com/Cristliu/216ddbadaf3258498c93d408683ecabd
- https://gist.github.com/Cristliu/298f51cbc72c45d91632cd0d65aa8161
- https://github.com/langgenius/dify
- https://github.com/langgenius/dify/issues/15285
- https://github.com/langgenius/dify/pull/15286
- https://github.com/langgenius/dify/pull/15286.diff
- https://github.com/langgenius/dify/releases/tag/1.0.1
- https://gist.github.com/Cristliu/216ddbadaf3258498c93d408683ecabd