Rule Information
Tags
pythonpycryptodomemd4weak-hashCWE-327OWASP-A02
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-013 --project .1
2
3
4
5
6
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Rule
Understanding the vulnerability and how it is detected
Detects usage of MD4 via PyCryptodome's `Crypto.Hash.MD4.new()` or `Cryptodome.Hash.MD4.new()` constructor. MD4 was designed by Ron Rivest in 1990 as a faster predecessor to MD5. By 1995, Hans Dobbertin had demonstrated full collision attacks against MD4. Today, MD4 collisions can be computed in milliseconds on a laptop using algebraic attacks. There is no scenario in which MD4 provides meaningful security.
MD4 appears in legacy protocols including NTLMv1/NTLMv2 Windows authentication (as a component) and older LAN Manager hashes. Its presence in PyCryptodome exists solely to support parsing and interoperability with these legacy systems, not for new security implementations.
This rule is rated HIGH severity because MD4 is more completely broken than MD5 — the attack complexity is lower, preimage resistance is weaker, and no context exists where MD4 is an acceptable security primitive today. If MD4 appears in a codebase, it should be treated as a critical finding requiring immediate remediation or explicit documented justification (e.g., NTLM protocol compatibility with a defined migration timeline).
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
2
3
4
How to Fix
Recommended remediation steps
- 1Replace Crypto.Hash.MD4.new() with Crypto.Hash.SHA256.new() for all integrity and authentication use cases — SHA-256 provides 256-bit collision resistance with no known weaknesses.
- 2For password hashing, use Argon2id (argon2-cffi), bcrypt, or scrypt — not SHA-256 or any raw hash function, as these are too fast for password storage.
- 3If MD4 is required by a legacy protocol such as NTLM, document the usage explicitly with a migration plan and compensating controls (e.g., require modern NTLMv2 negotiation, enforce network-level authentication).
- 4Audit all callers of Crypto.Hash.MD4 to determine whether they are in a security-sensitive code path — given MD4's total brokenness, even non-obvious uses (e.g., as a PRF component) pose risk.
- 5For message authentication, use Crypto.Hash.HMAC with SHA-256 as the digest module.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
Matches any call to `PyCryptoHashMD4.method("new")` where `PyCryptoHashMD4` is a QueryType resolving fully-qualified names `Crypto.Hash.MD4` and `Cryptodome.Hash.MD4`. This covers both the PyCryptodome drop-in compatibility namespace (`Crypto.*`) and the standalone namespace (`Cryptodome.*`). The rule fires on `.new()` constructor invocation. MD4 has an extremely narrow set of legitimate uses (NTLM protocol compatibility), making almost all detected instances a genuine security concern.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography
NIST SP 800-131A
MD5 and SHA-1 disallowed for digital signatures
NIST SP 800-53
SC-13: Cryptographic Protection
References
External resources and documentation
CWE-327: Use of a Broken or Risky Cryptographic AlgorithmCWE-328: Use of Weak HashDobbertin 1995: Cryptanalysis of MD4RFC 1320: The MD4 Message-Digest Algorithm (historic)NIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic AlgorithmsOWASP Cryptographic Failures (A02:2021)PyCryptodome documentation: Crypto.Hash.MD4
Similar Rules
Explore related security rules for Python
HIGH
RC4 (ARC4) Cipher Usage via cryptography Library
Detects use of the RC4 stream cipher through the cryptography library's ARC4 algorithm, which has known keystream biases and is prohibited by RFC 7465.
HIGH
RC4 (ARC4) Cipher Usage via PyCryptodome
Detects use of the RC4 stream cipher through PyCryptodome's ARC4 module, which has known keystream biases and is prohibited by RFC 7465.
HIGH
Blowfish Cipher Usage via cryptography Library
Detects use of the Blowfish cipher through the cryptography library, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data.
Frequently Asked Questions
Common questions about Insecure MD4 Hash (PyCryptodome)
No. Unlike MD5 or SHA-1, there is no non-security context in which MD4 provides a meaningful property. Even for trivial checksums it is better to use a non-broken algorithm for future-proofing. The only legitimate reason to call Crypto.Hash.MD4.new() is to implement or parse a legacy protocol (e.g., NTLM) that you cannot change — and even then, a migration timeline should be documented.
If you are implementing NTLM for Windows domain authentication compatibility, document the MD4 usage explicitly as a protocol-mandated legacy dependency. Ensure NTLMv2 is enforced (not NTLMv1), apply the defense-in-depth controls recommended by Microsoft, and plan migration to Kerberos or modern authentication protocols. Do not extend the use of MD4 beyond the minimum required for protocol compliance.
MD4 is significantly more broken than MD5. MD5 collisions became practical in 2004 and require seconds; MD4 collisions were demonstrated in 1995 and now take milliseconds using algebraic differential techniques. MD4 also has weaker preimage resistance than MD5. There is no scenario where MD4 is preferable to MD5, and MD5 itself is unacceptable for security.
The severity difference reflects practical attack cost. MD5 collisions require seconds to minutes of computation and some specialized knowledge. MD4 collisions require milliseconds and are trivially reproducible using published tools. The window for exploiting MD4 is significantly wider, and the algorithm has no redeemable security properties.
Run `code-pathfinder scan --ruleset python/cryptography/PYTHON-CRYPTO-SEC-013 --path ./src` in your pipeline. Add `--format sarif` to produce SARIF output compatible with GitHub Advanced Security and similar platforms.
Yes, PyCryptodome includes MD4 for legacy protocol support. Its inclusion does not imply it is safe for new security applications.
Security tooling that intentionally implements broken algorithms for attack simulation or protocol testing should suppress this finding with a documented suppression comment explaining the context. The suppression should be scoped as narrowly as possible and reviewed in code review.
New feature
Get these findings posted directly on your GitHub pull requests
The Insecure MD4 Hash (PyCryptodome) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.