Description
Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.
Problem types
Use of Password Hash With Insufficient Computational Effort
Product status
Any version before 3.0.13
3.0.13 (semver)
Credits
kolega-ai-dev
References
github.com/...lowise/security/advisories/GHSA-x2g5-fvc2-gqvp (GitHub Security Advisory (GHSA-x2g5-fvc2-gqvp))
www.vulncheck.com/...-password-salt-rounds-in-bcrypt-hashing (VulnCheck Advisory: Flowise - Insufficient Password Salt Rounds in Bcrypt Hashing)