GHSA-x2g5-fvc2-gqvp

Suggest an improvement
Source
https://github.com/advisories/GHSA-x2g5-fvc2-gqvp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x2g5-fvc2-gqvp/GHSA-x2g5-fvc2-gqvp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x2g5-fvc2-gqvp
Published
2026-03-05T21:54:31Z
Modified
2026-03-05T22:02:34.649814Z
Severity
  • 4.1 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Flowise has Insufficient Password Salt Rounds
Details

Description

The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security.

Affected Code

export function getHash(value: string) {
    const salt = bcrypt.genSaltSync(parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '5'))
    return bcrypt.hashSync(value, salt)
}

Evidence

Using 5 salt rounds provides 2^5 = 32 iterations, which is far below the OWASP recommendation of 10 (2^10 = 1024 iterations) for bcrypt. This makes password hashes vulnerable to brute-force attacks with modern hardware.

Impact

Faster password cracking - in the event of database compromise, attackers can crack password hashes significantly faster than with proper salt rounds, potentially compromising all user accounts.

Recommendation

Increase default PASSWORDSALTHASH_ROUNDS to at least 10 (recommended by OWASP). Consider using 12 for better security-performance balance. Document that higher values increase login time but improve security.

Notes

The default bcrypt salt rounds is 5 (line 6), which provides only 2^5=32 iterations. OWASP recommends minimum 10 rounds (1024 iterations) for bcrypt. While configurable via PASSWORDSALTHASH_ROUNDS env var, the default matters because: (1) most deployments use defaults, (2) existing password hashes at 5 rounds remain vulnerable even if later increased. With modern GPUs, 5 rounds allows ~300,000 hashes/second vs ~10,000/second at 10 rounds - a 30x difference in cracking speed. In a database breach scenario, all user passwords could be cracked significantly faster. The same weak default is used in resetPassword (account.service.ts:568). This is a cryptographic weakness with real-world impact on password security.

Detection Method: Kolega.dev Deep Code Scan

| Attribute | Value | |---|---| | Severity | Medium | | CWE | CWE-916 (Use of Password Hash With Insufficient Computational Effort) | | Location | packages/server/src/enterprise/utils/encryption.util.ts:5-7 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai |

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T21:54:31Z",
    "cwe_ids": [
        "CWE-328",
        "CWE-916"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

npm / flowise

Package

Name
flowise
View open source insights on deps.dev
Purl
pkg:npm/flowise

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.13

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x2g5-fvc2-gqvp/GHSA-x2g5-fvc2-gqvp.json"
last_known_affected_version_range 
"<= 3.0.12"