Skip to content

Document password hash disclosure in User Update API #407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
elit3pwner wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Document password hash disclosure in User Update API #407

elit3pwner wants to merge 1 commit into from

Conversation

@elit3pwner
Copy link

@elit3pwner elit3pwner commented Dec 28, 2025

The user update API exposes password hashes in the response, which poses a security risk. Recommendations include excluding the password field from API responses and implementing dedicated password management endpoints.

Password Hash Disclosure in User Update API

Severity

HIGH

CVSS Score & Vector

CVSS v3.1: 7.5 (High)
Vector: AV:N / AC:L / PR:L / UI:N / S:U / C:H / I:N / A:N

Vulnerability Description

The user update API endpoint returns the user's password hash in the HTTP response body after a successful update request. Although the password is stored using a strong hashing algorithm (pbkdf2_sha256), exposing password hashes constitutes disclosure of sensitive authentication material.

Password hashes must remain strictly server-side. Their exposure enables offline password cracking, facilitates credential reuse attacks, and significantly increases the impact of other vulnerabilities such as IDOR, XSS, or token compromise.

This issue indicates improper serialization of the User model, resulting in the inclusion of the password field in API responses.

Proof of Concept

Request

PATCH /api/users/26/ HTTP/2
Host: dev-us-west-1.aixblock.io
Content-Type: application/json
Cookie: sessionid=<valid_session_cookie>

{
"first_name": "test",
"last_name": "user"
}

Response

HTTP/2 200 OK
Content-Type: application/json

{
"id": 26,
"username": "testuser",
"email": "[email protected]
",
"password": "pbkdf2_sha256$26HGYxAMAF7Tzg$D/wsmvVBUicTt7Y1vohQvrwWjw52gDoeYvXq2VHzNPU=",
"is_active": true,
"is_verified": true
}

The password field containing the password hash is returned directly in the API response.

Impact

High — enables offline password cracking, credential reuse attacks, and significantly increases the blast radius when chained with other vulnerabilities.

Recommendation

  • Exclude the password field from all API serializers used in responses.
  • Mark password fields as write_only where input is required.
  • Implement dedicated password management endpoints for password changes.
  • Conduct a review of all API responses to ensure no sensitive authentication material is exposed.

Reference Links

Screenshot:

image

@elit3pwner
Document password hash disclosure in User Update API
16174d1 
The user update API exposes password hashes in the response, which poses a security risk. Recommendations include excluding the password field from API responses and implementing dedicated password management endpoints.

Signed-off-by: Dikshant Singh <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elit3pwner