Rule Information
Tags
gosecuritycryptomd5weak-hashcollision-attackCWE-328OWASP-A02
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset golang/GO-CRYPTO-001 --project .1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Cross-file analysis: 3 files
About This Rule
Understanding the vulnerability and how it is detected
MD5 was designed in 1992 and has been cryptographically broken since Xiaoyun Wang et al. demonstrated practical collision attacks at CRYPTO 2004. The Wang-Yu attack finds two distinct inputs with the same MD5 digest in under one second on modern hardware using differential cryptanalysis with modular arithmetic differentials.
The Flame malware (June 2012) is the highest-profile real-world exploitation: Flame's operators used a chosen-prefix MD5 collision to forge a Microsoft code-signing certificate. The forged certificate passed Windows Update's chain-of-trust validation, allowing Flame to spread via a man-in-the-middle attack against Windows Update — the first documented deployment of a live MD5 collision attack in the wild.
On an NVIDIA RTX 4090, hashcat computes 164.1 billion MD5 hashes per second. An 8-character mixed-case alphanumeric password space (218 trillion combinations) is exhausted in under 22 minutes. Any MD5-hashed password database is practically unprotected against GPU cracking.
MD5 is not recognized as an approved algorithm in any FIPS 140-2/3 validated cryptographic module. NIST SP 800-131A Rev 2 does not list MD5 as acceptable for any cryptographic security purpose. The Go standard library retains crypto/md5 only for legacy interoperability — the package documentation notes it is "cryptographically broken and should not be used for secure applications."
**Acceptable uses**: Non-security file transfer checksums (detecting accidental bit-flips when an adversary is not present), partition key derivation in distributed databases, legacy cache key generation where collision does not have security consequences.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Forged Digital Signatures
A chosen-prefix MD5 collision allows an attacker to create two documents with the same MD5 digest but different content. If a CA signs one, the signature is valid for the other. The Flame malware exploited exactly this to forge a Microsoft Windows Update code-signing certificate (June 2012).
2
File Integrity Bypass
If MD5 is used to verify file integrity (firmware updates, software downloads), an attacker who can intercept the download or control the distribution server can replace a legitimate binary with a malicious one that shares the same MD5 hash, passing the integrity check.
3
Password Database Cracking
MD5 password hashes can be cracked at 164 billion attempts per second on a single RTX 4090 GPU. An 8-character password is recovered in under 22 minutes. Rainbow tables for unsalted MD5 cover most real-world passwords. MD5-hashed password databases from breaches are routinely cracked and published within hours.
4
Certificate Spoofing
PKI systems that use MD5 for certificate fingerprinting or signing are vulnerable to certificate impersonation. The CA/Browser Forum banned MD5 in TLS certificates in 2008 after the Sotirov et al. rogue CA attack.
How to Fix
Recommended remediation steps
- 1Replace md5.New() and md5.Sum() with sha256.New() and sha256.Sum256() for integrity hashing.
- 2For password hashing, use golang.org/x/crypto/bcrypt (cost >= 12) or argon2.IDKey.
- 3Never use MD5 for digital signatures, certificate fingerprints, or token generation.
- 4If migrating from MD5 passwords: at next successful login, re-hash with bcrypt/argon2id.
- 5For TLS/HMAC: the Go crypto/tls package and crypto/hmac with SHA-256 are safe defaults.
- 6MD5 is acceptable ONLY for non-security checksums (detecting accidental bit-flips) when no adversary is present and cannot substitute inputs.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
Detects all calls to crypto/md5 package methods (New(), Sum()). Fires on any use — regardless of context — because MD5 has no safe use in security-critical paths and sha256 is a zero-friction drop-in replacement.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
NIST SP 800-131A Rev 2 (2019)
MD5 was never approved. Table 1 lists approved hash algorithms: SHA-1 (restricted),
SHA-2 family (approved), SHA-3 family (approved). MD5 does not appear.
URL: https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
FIPS 140-2/3
MD5 is not an approved algorithm for use in FIPS 140-2/3 validated modules.
FIPS-approved algorithms are listed in FIPS 180-4 (SHA family) and FIPS 202 (SHA-3).
PCI DSS v4.0
Requirement 4.2.1 — Strong cryptography required for transmission of cardholder data.
Requirement 6.2.4 — Protect against cryptographic failures.
OWASP Top 10
A02:2021 — Cryptographic Failures
References
External resources and documentation
IACR: Wang et al. MD5 Collision Attack (2004)IACR: Wang & Yu 'How to Break MD5' (Eurocrypt 2005)Flame malware collision attack explained — Microsoft MSRCAnalyzing the MD5 collision in Flame — Trail of BitsFlame, certificates, collisions. Oh my. — Matthew Green's Cryptography BlogHashClash — MD5 chosen-prefix collision tool (Marc Stevens, CWI)NIST SP 800-131A Revision 2 — Transitioning Cryptographic AlgorithmsNIST SP 800-131A Rev 2 — Transitioning Cryptographic Algorithms (CSRC)Hashcat RTX 4090 benchmark (MD5: 164.1 GH/s)OWASP Password Storage Cheat Sheet (bcrypt, argon2id recommendations)Go crypto/md5 package documentationGo crypto/sha256 package documentationGo golang.org/x/crypto/bcrypt packageGo golang.org/x/crypto/argon2 packageRFC 9106 — Argon2 Memory-Hard Function for Password HashingCWE-328: Use of Weak Hash
Similar Rules
Explore related security rules for Go
HIGH
Use of SHA1 Weak Hash Algorithm
Detects use of SHA1 (crypto/sha1) which has a proven collision (SHAttered, 2017) and is deprecated by NIST for all applications through 2030.
HIGH
Use of DES or 3DES Weak Cipher
Detects use of DES/3DES (crypto/des) — DES uses a 56-bit key exhausted in 22 hours (1999); 3DES is vulnerable to the SWEET32 birthday attack and disallowed by NIST after December 31, 2023.
HIGH
Use of RC4 Stream Cipher
Detects use of RC4 (crypto/rc4) which is prohibited in TLS by RFC 7465 (2015), has known statistical keystream biases, and is labeled "cryptographically broken" in the Go standard library.
Frequently Asked Questions
Common questions about Use of MD5 Weak Hash Algorithm
MD5 was designed in 1992 and has been cryptographically broken since Xiaoyun Wang et al.
demonstrated practical collision attacks at CRYPTO 2004. The Wang-Yu attack finds two
distinct inputs with the same MD5 digest in under one second on modern hardware using
differential cryptanalysis with modular arithmetic differentials.
The Flame malware (June 2012) is the highest-profile real-world exploitation: Flame's
operators used a chosen-prefix MD5 collision to forge a Microsoft code-signing certificate.
The forged certificate passed Windows Update's chain-of-trust validation, allowing Flame
to spread via a man-in-the-middle attack against Windows Update — the first documented
deployment of a live MD5 collision attack in the wild.
On an NVIDIA RTX 4090, hashcat computes 164.1 billion MD5 hashes per second. An 8-character
mixed-case alphanumeric password space (218 trillion combinations) is exhausted in under
22 minutes. Any MD5-hashed password database is practically unprotected against GPU cracking.
MD5 is not recognized as an approved algorithm in any FIPS 140-2/3 validated cryptographic
module. NIST SP 800-131A Rev 2 does not list MD5 as acceptable for any cryptographic security
purpose. The Go standard library retains crypto/md5 only for legacy interoperability —
the package documentation notes it is "cryptographically broken and should not be used
for secure applications."
**Acceptable uses**: Non-security file transfer checksums (detecting accidental bit-flips
when an adversary is not present), partition key derivation in distributed databases,
legacy cache key generation where collision does not have security consequences.
Use Code Pathfinder to scan your codebase: pathfinder scan --ruleset golang/GO-CRYPTO-001 --project .
This vulnerability is rated as HIGH severity.
Yes! Code Pathfinder allows you to customize rules. Modify detection patterns, adjust severity levels, add custom sanitizers, and configure the rule to fit your organization's security policies.
New feature
Get these findings posted directly on your GitHub pull requests
The Use of MD5 Weak Hash Algorithm rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.