Ccodemod

codemod/cryptojs-md5-to-sha256

Transform CryptoJS.MD5() calls to use CryptoJS.SHA256() for stronger cryptographic security. MD5 is cryptographically broken and vulnerable to collision attacks.

securitycryptographymd5sha256hashvulnerabilitytransformation
Public
0 downloads
0 stars
How to Use
Run this codemod on your codebase using one of the following commands

The easiest way to run this codemod without installing anything globally:

Documentation

@codemod/cryptojs-md5-to-sha256

A security-focused codemod that transforms CryptoJS.MD5() calls to use CryptoJS.SHA256() for stronger cryptographic security. MD5 is cryptographically broken and vulnerable to collision attacks, making it unsuitable for security-sensitive applications.

Security Impact

This codemod addresses critical security vulnerabilities:

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • MITRE ATT&CK T1588.002: Obtain Capabilities: Tool
  • CVE-2004-2761: MD5 collision vulnerabilities
  • CVE-2008-4697: MD5 collision attacks

MD5 has known vulnerabilities and should be replaced with stronger hash functions like SHA-256 for security-critical applications.

Installation

bash

What It Does

This codemod automatically transforms MD5 usage to SHA-256 in JavaScript and TypeScript files:

Basic Transformations

Before:

javascript

After:

javascript

Method Chaining

Before:

javascript

After:

javascript

Variable Assignments and Return Statements

Before:

javascript

After:

javascript

What It Preserves

The codemod is designed to be conservative and safe:

  • Files with @preserve-md5 comments - Skip transformation entirely
  • Non-CryptoJS files - Only processes files that contain CryptoJS usage
  • Other CryptoJS methods - Only transforms MD5, leaves SHA1, SHA256, HMAC, etc. unchanged
  • Comments and formatting - Preserves code structure and comments
  • Method chaining - Maintains the same API structure

Target Files

  • JavaScript (.js)
  • TypeScript (.ts)
  • JSX (.jsx)
  • TSX (.tsx)

Excludes test files, node_modules, and build directories by default.

Important Notes

⚠️ Hash Output Length Change: SHA-256 produces 64-character hex strings compared to MD5's 32 characters. Code consuming these hashes may need updates to handle the different length.

⚠️ Review Required: While this codemod automates the transformation, review the changes to ensure they meet your application's requirements.

Running the Codemod

bash

Development

bash

Security References

License

MIT

Ready to contribute?

Build your own codemod and share it with the community.