Go Insecure Hash Use
Description
Identifies usage of cryptographically weak hash functions (MD4, MD5, RIPEMD160, SHA1) in Go code. These hash algorithms are vulnerable to collision attacks and should not be used for security-critical operations like password hashing or digital signatures.
Detection Strategy
• Detects when code creates new hash instances using crypto/md4, crypto/md5, crypto/ripemd160, or crypto/sha1 packages
• Specifically looks for calls to the New() function from these insecure hash packages
• Reports a vulnerability when any of these weak hash algorithms are instantiated in the code
Vulnerable code example
package main
import (
"crypto/des"
"crypto/md5"
"crypto/sha1"
)
...✅ Secure code example
package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/sha256"
"io"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.