PostHog/posthog

Escaneado el 26 jun 2026

Puntuación de riesgo/ 100

Riesgo moderado

Resumen

PostHog uses MD5 for hashing in production STL cryptographic utilities, which is quantum-vulnerable under Grover's algorithm (reduced to 64-bit security). JWT authentication in enterprise edition uses RS256, which will be completely broken by Shor's algorithm on quantum computers within 5–15 years. No immediate cryptographic compromise, but HNDL (Harvest Now, Decrypt Later) risk exists for any long-lived session tokens or signed artifacts.

Crítico

Alto

Medio

Bajo

Hallazgos principales

CríticoCWE-328MD5
common/hogvm/python/stl/crypto.py:22
SHA3-256 or SHA-256
Evidencia
```
digest = hashlib.md5(data.encode()).digest()
```
CríticoCWE-328MD5
common/hogvm/python/stl/__init__.py:15
SHA3-256 or SHA-256
Evidencia
```
from .crypto import md5, sha256, sha256HmacChain
```

CríticoCWE-328MD5

common/hogvm/python/stl/crypto.py:18

SHA3-256 or SHA-256

Evidencia

def md5(data: str | None, encoding: Literal["hex", "base64", "base64url", "binary"] = "hex") -> str | None:

AltoCWE-327JWT quantum-vulnerable algorithm
ee/api/agentic_provisioning/test/base.py:40
HS256 (symmetric) or post-quantum signature schemes
Evidencia
```
"algorithm": "RS256",
```

Escanea tu propio repositorio

Gratis. Resultados en ~90 segundos. CBOM + PDF DORA/NIS2 incluidos.

Iniciar un escaneo gratis