Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.1
Flowise Password Hashes are Too Easy to Crack
GHSA-x2g5-fvc2-gqvp
Summary
Flowise's default password hashing process is not secure enough, making it easier for hackers to guess passwords if the database is compromised. This affects all users who have passwords stored in the system. To fix this, the default number of password hashing rounds should be increased to at least 10, and ideally 12, to slow down password cracking attempts and improve security.
What to do
- Update flowise to version 3.0.13.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | flowise | <= 3.0.12 | 3.0.13 |
Original title
Flowise has Insufficient Password Salt Rounds
Original description
### Description
The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security.
### Affected Code
```
export function getHash(value: string) {
const salt = bcrypt.genSaltSync(parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '5'))
return bcrypt.hashSync(value, salt)
}
```
### Evidence
Using 5 salt rounds provides 2^5 = 32 iterations, which is far below the OWASP recommendation of 10 (2^10 = 1024 iterations) for bcrypt. This makes password hashes vulnerable to brute-force attacks with modern hardware.
### Impact
Faster password cracking - in the event of database compromise, attackers can crack password hashes significantly faster than with proper salt rounds, potentially compromising all user accounts.
### Recommendation
Increase default PASSWORD_SALT_HASH_ROUNDS to at least 10 (recommended by OWASP). Consider using 12 for better security-performance balance. Document that higher values increase login time but improve security.
### Notes
The default bcrypt salt rounds is 5 (line 6), which provides only 2^5=32 iterations. OWASP recommends minimum 10 rounds (1024 iterations) for bcrypt. While configurable via PASSWORD_SALT_HASH_ROUNDS env var, the default matters because: (1) most deployments use defaults, (2) existing password hashes at 5 rounds remain vulnerable even if later increased. With modern GPUs, 5 rounds allows ~300,000 hashes/second vs ~10,000/second at 10 rounds - a 30x difference in cracking speed. In a database breach scenario, all user passwords could be cracked significantly faster. The same weak default is used in resetPassword (account.service.ts:568). This is a cryptographic weakness with real-world impact on password security.
**Detection Method:** Kolega.dev Deep Code Scan
| Attribute | Value |
|---|---|
| Severity | Medium |
| CWE | CWE-916 (Use of Password Hash With Insufficient Computational Effort) |
| Location | packages/server/src/enterprise/utils/encryption.util.ts:5-7 |
| Practical Exploitability | Medium |
| Developer Approver | [email protected] |
The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security.
### Affected Code
```
export function getHash(value: string) {
const salt = bcrypt.genSaltSync(parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '5'))
return bcrypt.hashSync(value, salt)
}
```
### Evidence
Using 5 salt rounds provides 2^5 = 32 iterations, which is far below the OWASP recommendation of 10 (2^10 = 1024 iterations) for bcrypt. This makes password hashes vulnerable to brute-force attacks with modern hardware.
### Impact
Faster password cracking - in the event of database compromise, attackers can crack password hashes significantly faster than with proper salt rounds, potentially compromising all user accounts.
### Recommendation
Increase default PASSWORD_SALT_HASH_ROUNDS to at least 10 (recommended by OWASP). Consider using 12 for better security-performance balance. Document that higher values increase login time but improve security.
### Notes
The default bcrypt salt rounds is 5 (line 6), which provides only 2^5=32 iterations. OWASP recommends minimum 10 rounds (1024 iterations) for bcrypt. While configurable via PASSWORD_SALT_HASH_ROUNDS env var, the default matters because: (1) most deployments use defaults, (2) existing password hashes at 5 rounds remain vulnerable even if later increased. With modern GPUs, 5 rounds allows ~300,000 hashes/second vs ~10,000/second at 10 rounds - a 30x difference in cracking speed. In a database breach scenario, all user passwords could be cracked significantly faster. The same weak default is used in resetPassword (account.service.ts:568). This is a cryptographic weakness with real-world impact on password security.
**Detection Method:** Kolega.dev Deep Code Scan
| Attribute | Value |
|---|---|
| Severity | Medium |
| CWE | CWE-916 (Use of Password Hash With Insufficient Computational Effort) |
| Location | packages/server/src/enterprise/utils/encryption.util.ts:5-7 |
| Practical Exploitability | Medium |
| Developer Approver | [email protected] |
ghsa CVSS3.1
4.1
Vulnerability type
CWE-328
CWE-916
Published: 5 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026