Skip to main content
Failures related to cryptography which often lead to sensitive data exposure. This includes the use of weak or broken cryptographic algorithms, improper key management, weak random number generation, and transmission of data in cleartext.
CodeAnt AI detects Cryptographic Failures vulnerabilities across 18 languages: Python, Java, JavaScript, TypeScript, Go, C#, Ruby, PHP, Kotlin, Swift, Rust, Scala, C++, Clojure, Elixir, Terraform, HTML, YAML.

Detected Vulnerabilities

Severity: High

Description

The application uses a broken or risky cryptographic algorithm such as MD5, SHA1, DES, or RC4, which have known vulnerabilities that can be exploited by attackers.

Impact

Attackers can forge signatures, recover plaintext from encrypted data, or create hash collisions, undermining the security guarantees the cryptography was intended to provide.

Remediation

Replace MD5/SHA1 with SHA-256 or SHA-3 for hashing. Replace DES/RC4 with AES-256-GCM for encryption. Use well-established cryptographic libraries. Follow current NIST recommendations.
Severity: High

Description

The application uses a cryptographic algorithm with insufficient key length, making it feasible for attackers to break the encryption through brute-force or other attacks.

Impact

Encrypted data can be decrypted by attackers using modern computing resources, exposing sensitive information such as credentials, personal data, or financial records.

Remediation

Use minimum key lengths of 2048-bit for RSA, 256-bit for AES, and 256-bit for elliptic curve cryptography. Regularly review and update key lengths as computing power increases.
Severity: Critical

Description

The application does not properly validate SSL/TLS certificates, allowing attackers to intercept encrypted communications through man-in-the-middle attacks.

Impact

All data transmitted over supposedly secure connections can be intercepted and read by attackers, including authentication credentials, session tokens, and sensitive data.

Remediation

Always validate SSL/TLS certificates. Do not disable certificate verification in production. Use proper certificate pinning where appropriate. Keep certificate stores up to date.
Severity: High

Description

The application uses predictable random values for security-sensitive operations such as token generation, session IDs, or cryptographic keys.

Impact

Attackers can predict generated values, allowing them to forge session tokens, bypass CSRF protections, or guess cryptographic keys.

Remediation

Use cryptographically secure random number generators (CSPRNG) for all security-sensitive operations. In Python use secrets, in Java use SecureRandom, in Go use crypto/rand.
Severity: High

Description

The application transmits sensitive data over an unencrypted channel (HTTP instead of HTTPS, unencrypted database connections, etc.), making it readable to anyone monitoring the network.

Impact

Sensitive data including credentials, personal information, and financial data can be intercepted by attackers through network sniffing, especially on shared or public networks.

Remediation

Use TLS/HTTPS for all data transmission. Enforce HSTS headers. Configure secure database connections. Use encrypted protocols for all inter-service communication.
Severity: Critical

Description

The application contains hard-coded cryptographic keys in the source code, making them discoverable by anyone with access to the codebase.

Impact

Hard-coded keys can be extracted from source code or compiled binaries, allowing attackers to decrypt data, forge tokens, or impersonate the application.

Remediation

Store cryptographic keys in secure key management systems (AWS KMS, HashiCorp Vault, etc.). Use environment variables or secret managers. Never commit keys to version control.
Severity: Medium

Description

The application uses a weak hashing algorithm for password storage or data integrity verification that does not provide sufficient collision resistance.

Impact

Attackers can find collisions or use precomputed rainbow tables to reverse hashed values, compromising password security and data integrity.

Remediation

Use bcrypt, scrypt, or Argon2 for password hashing. Use SHA-256 or SHA-3 for data integrity. Apply proper salting for all password hashes.
Severity: High

Description

The application uses a pseudo-random number generator (PRNG) that is not suitable for cryptographic purposes in a security context, such as Math.random() or random.random().

Impact

Security tokens, session identifiers, or encryption keys generated with weak PRNGs can be predicted, enabling session hijacking, token forgery, or cryptographic attacks.

Remediation

Replace weak PRNGs with cryptographically secure alternatives: secrets module in Python, crypto.randomBytes in Node.js, SecureRandom in Java, crypto/rand in Go.
Severity: Critical

Description

The application stores, transmits, or handles user credentials in an insecure manner, such as storing passwords in plaintext, using reversible encryption, or logging credentials.

Impact

Compromised credential storage leads to mass account takeover. Leaked credentials can be used for credential-stuffing attacks across multiple services.

Remediation

Hash passwords with bcrypt/Argon2 using per-user salts. Never store plaintext passwords. Use secure credential transmission. Implement credential rotation policies.