Typescript Crypto Unsafe Empty Password
Description
This detector identifies TypeScript code that uses Node.js crypto functions with empty or missing passwords/passphrases. Empty passwords in cryptographic operations provide no security benefit and make encrypted data vulnerable to trivial attacks, essentially equivalent to storing data in plaintext.
Detection Strategy
• The detector searches for calls to Node.js crypto module functions that accept password or passphrase parameters
• It identifies when these cryptographic functions are invoked with empty strings, null values, or missing password arguments
• Common vulnerable patterns include crypto.createCipher('algorithm', ''), crypto.pbkdf2() with empty password, or crypto.scrypt() without proper password parameters
• The vulnerability is reported when cryptographic operations are performed without meaningful password protection
Vulnerable code example
import * as crypto from 'crypto';
// Vulnerable: using empty password in PBKDF2
function weakCrypto(): Buffer {
return crypto.pbkdf2Sync(
"", // Empty password provides no security
"salt",
1000,...✅ Secure code example
import * as crypto from 'crypto';
// Secure: validating password before PBKDF2
function secureCrypto(password: string): Buffer {
if (!password) throw new Error("Password required"); // Prevent empty passwords
return crypto.pbkdf2Sync(
password, // Safe: validated non-empty password...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.