x/vulndb: potential Go vuln in github.com/netbirdio/netbird: GHSA-g3j4-58mp-3x25 #4040
Description
Advisory GHSA-g3j4-58mp-3x25 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/netbirdio/netbird |
Description:
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL.
This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.
This issue has been fixed in version 0.57.0.
References:
- ADVISORY: GHSA-g3j4-58mp-3x25
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-10678
- FIX: netbirdio/netbird@cf7f6c3
- WEB: https://cert.pl/en/posts/2025/10/CVE-2025-10678
- WEB: https://netbird.io
Cross references:
- github.com/netbirdio/netbird appears in 1 other report(s):
- data/reports/GO-2024-3057.yaml (x/vulndb: potential Go vuln in github.com/netbirdio/netbird: GHSA-9v35-4xcr-w9ph #3057)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/netbirdio/netbird
versions:
- fixed: 0.57.0
vulnerable_at: 0.56.1
summary: NetBird VPN does not remove the default password of an admin account in github.com/netbirdio/netbird
cves:
- CVE-2025-10678
ghsas:
- GHSA-g3j4-58mp-3x25
references:
- advisory: https://github.com/advisories/GHSA-g3j4-58mp-3x25
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-10678
- fix: https://github.com/netbirdio/netbird/commit/cf7f6c355f713e83cf171b79e08dac60b316e4fd
- web: https://cert.pl/en/posts/2025/10/CVE-2025-10678
- web: https://netbird.io
source:
id: GHSA-g3j4-58mp-3x25
created: 2025-10-20T21:01:12.715040664Z
review_status: UNREVIEWED