GrepRules
Sign inPublish rule
Explore/cve-2025-6224-go-hash-sum-api-misuse-leak

CVE-2025-6224: Go Hash Sum Api Misuse Leak

Calling `.Sum(data)` directly on a newly created `hash.Hash` without calling `.Write()` does not hash `data`. Instead, it computes the hash of an empty string and appends it to `data`. This unintentionally embeds and leaks `data` in plaintext. If `data` is a sensitive value like a private key, this compromises cryptographic secrets. To hash data correctly, e

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0Goβ
greprules fetch cve-2025-6224-go-hash-sum-api-misuse-leak --engine opengrep

Description

Calling `.Sum(data)` directly on a newly created `hash.Hash` without calling `.Write()` does not hash `data`. Instead, it computes the hash of an empty string and appends it to `data`. This unintentionally embeds and leaks `data` in plaintext. If `data` is a sensitive value like a private key, this compromises cryptographic secrets. To hash data correctly, e

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 70How quality works
Included packs
2 packs