VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 12, 2024· Updated Dec 13, 2024

Beego Vulnerable to Collision Hazards of MD5 in Cache Key Filenames

CVE-2024-55885

Description

beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with SHA256.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Beego framework prior to v2.3.4 uses MD5 hashing, which is vulnerable to collision attacks, potentially allowing authentication bypass.

Vulnerability

Description Beego, an open-source web framework for Go, used MD5 as its hashing algorithm in versions prior to 2.3.4 [1]. MD5 is cryptographically broken and susceptible to collision attacks, where an attacker can produce two different inputs that yield the same hash [1].

Attack

Vector An attacker with the ability to influence data that is hashed (e.g., passwords, tokens, or session identifiers) could exploit MD5 collisions to forge valid hashes. This could be done without requiring authentication if the attacker can provide crafted input that matches an existing hash [1].

Impact

Successful exploitation could allow an attacker to bypass authentication mechanisms, escalate privileges, or compromise data integrity by generating valid signatures or password hashes that collide with legitimate ones [1].

Mitigation

Version 2.3.4 of Beego replaces MD5 with SHA256, which is currently considered cryptographically secure. Users are strongly advised to upgrade to this version or later [1].

References
  1. NVD - CVE-2024-55885

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/beego/beegoGo
<= 1.12.14
github.com/beego/beego/v2Go
< 2.3.42.3.4

Affected products

47

Patches

1
e7fa4835f71f

modify: file cache writer md5 to sha256 (#5727)

https://github.com/beego/beegoStoneDec 8, 2024via ghsa
commit
2 files changed · +16 8
  • client/cache/file.go+8 6 modified
    @@ -17,7 +17,7 @@ package cache
 import (
 	"bytes"
 	"context"
-	"crypto/md5"
+	"crypto/sha256"
 	"encoding/gob"
 	"encoding/hex"
 	"encoding/json"
@@ -123,29 +123,30 @@ func (fc *FileCache) Init() error {
 
 // getCacheFileName returns a md5 encoded file name.
 func (fc *FileCache) getCacheFileName(key string) (string, error) {
-	m := md5.New()
+	m := sha256.New()
 	_, _ = io.WriteString(m, key)
-	keyMd5 := hex.EncodeToString(m.Sum(nil))
+	keySha256 := hex.EncodeToString(m.Sum(nil))
 	cachePath := fc.CachePath
 	switch fc.DirectoryLevel {
 	case 2:
-		cachePath = filepath.Join(cachePath, keyMd5[0:2], keyMd5[2:4])
+		cachePath = filepath.Join(cachePath, keySha256[0:2], keySha256[2:4])
 	case 1:
-		cachePath = filepath.Join(cachePath, keyMd5[0:2])
+		cachePath = filepath.Join(cachePath, keySha256[0:2])
 	}
 	ok, err := exists(cachePath)
 	if err != nil {
 		return "", err
 	}
 	if !ok {
+		fmt.Printf("cachePath: %s\n", cachePath)
 		err = os.MkdirAll(cachePath, os.ModePerm)
 		if err != nil {
 			return "", berror.Wrapf(err, CreateFileCacheDirFailed,
 				"could not create the directory: %s", cachePath)
 		}
 	}
 
-	return filepath.Join(cachePath, fmt.Sprintf("%s%s", keyMd5, fc.FileSuffix)), nil
+	return filepath.Join(cachePath, fmt.Sprintf("%s%s", keySha256, fc.FileSuffix)), nil
 }
 
 // Get value from file cache.
@@ -212,6 +213,7 @@ func (fc *FileCache) Put(ctx context.Context, key string, val interface{}, timeo
 	}
 
 	fn, err := fc.getCacheFileName(key)
+
 	if err != nil {
 		return err
 	}
  • client/cache/file_test.go+8 2 modified
    @@ -17,11 +17,10 @@ package cache
 import (
 	"context"
 	"fmt"
+	"github.com/stretchr/testify/assert"
 	"os"
 	"path/filepath"
 	"testing"
-
-	"github.com/stretchr/testify/assert"
 )
 
 func TestFileCacheStartAndGC(t *testing.T) {
@@ -30,6 +29,8 @@ func TestFileCacheStartAndGC(t *testing.T) {
 	assert.NotNil(t, err)
 	err = fc.StartAndGC(`{}`)
 	assert.Nil(t, err)
+	_, err = fc.getCacheFileName("key1")
+	assert.Nil(t, err)
 
 	assert.Equal(t, fc.CachePath, FileCachePath)
 	assert.Equal(t, fc.DirectoryLevel, FileCacheDirectoryLevel)
@@ -47,12 +48,17 @@ func TestFileCacheStartAndGC(t *testing.T) {
 	assert.Equal(t, fc.DirectoryLevel, 2)
 	assert.Equal(t, fc.EmbedExpiry, 0)
 	assert.Equal(t, fc.FileSuffix, ".bin")
+	_, err = fc.getCacheFileName("key1")
+	assert.Nil(t, err)
 
 	err = fc.StartAndGC(fmt.Sprintf(`{"CachePath":"%s","FileSuffix":".bin","DirectoryLevel":"aaa","EmbedExpiry":"0"}`, str))
 	assert.NotNil(t, err)
 
 	err = fc.StartAndGC(fmt.Sprintf(`{"CachePath":"%s","FileSuffix":".bin","DirectoryLevel":"2","EmbedExpiry":"aaa"}`, str))
 	assert.NotNil(t, err)
+
+	_, err = fc.getCacheFileName("key1")
+	assert.Nil(t, err)
 }
 
 func TestFileCacheInit(t *testing.T) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.