PT-2025-52280 · Dify+1 · Dify+1
Cristliu
·
Published
2025-12-18
·
Updated
2026-01-29
·
CVE-2025-56157
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Dify versions through 1.5.1
Description
The Dify application contains default credentials for PostgreSQL. The PostgreSQL username and password are specified in the
docker-compose.yaml file included in the application's source code. The supplier indicates that the Docker configuration does not expose PostgreSQL (on TCP port 5432) by default in version 1.0.1 or later.Recommendations
Versions prior to 1.0.1 should have their
docker-compose.yaml file reviewed and the default PostgreSQL username and password changed.
Versions 1.0.1 and later should verify the Docker configuration does not expose PostgreSQL on TCP port 5432.Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dify
Postgresql