GHSA-x2g5-fvc2-gqvp
Flowise has Insufficient Password Salt Rounds
Details
### Description The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security.
### Affected Code ``` export function getHash(value: string) { const salt = bcrypt.genSaltSync(parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '5')) return bcrypt.hashSync(value, salt) } ```
### Evidence Using 5 salt rounds provides 2^5 = 32 iterations, which is far below the OWASP recommendation of 10 (2^10 = 1024 iterations) for bcrypt. This makes password hashes vulnerable to brute-force attacks with modern hardware.
### Impact Faster password cracking - in the event of database compromise, attackers can crack password hashes significantly faster than with proper salt rounds, potentially compromising all user accounts.
### Recommendation Increase default PASSWORD_SALT_HASH_ROUNDS to at least 10 (recommended by OWASP). Consider using 12 for better security-performance balance. Document that higher values increase login time but improve security.
### Notes The default bcrypt salt rounds is 5 (line 6), which provides only 2^5=32 iterations. OWASP recommends minimum 10 rounds (1024 iterations) for bcrypt. While configurable via PASSWORD_SALT_HASH_ROUNDS env var, the default matters because: (1) most deployments use defaults, (2) existing password hashes at 5 rounds remain vulnerable even if later increased. With modern GPUs, 5 rounds allows ~300,000 hashes/second vs ~10,000/second at 10 rounds - a 30x difference in cracking speed. In a database breach scenario, all user passwords could be cracked significantly faster. The same weak default is used in resetPassword (account.service.ts:568). This is a cryptographic weakness with real-world impact on password security.
**Detection Method:** Kolega.dev Deep Code Scan
| Attribute | Value | |---|---| | Severity | Medium | | CWE | CWE-916 (Use of Password Hash With Insufficient Computational Effort) | | Location | packages/server/src/enterprise/utils/encryption.util.ts:5-7 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai |
Are you affected?
Enter the version of the package you're using.