SYM_PY_0173 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of a Broken or Risky Cryptographic Algorithm
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A02:2021 – Cryptographic Failures |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using Django's SECRET_KEY as the salt in Hashids exposes the secret key because Hashids is not cryptographically secure. If attackers can observe enough generated Hashids, they may be able to recover the SECRET_KEY.
Impact
If the SECRET_KEY is exposed, attackers can compromise Django's core security features, such as session management, CSRF protection, and password resets. This could lead to full application takeover, data breaches, or unauthorized actions within the system.