Description
free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions up to and including 1.0.1, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no longer considered secure for password storage or transmission. It is vulnerable to collision attacks and can be easily cracked using modern hardware, exposing user credentials to potential compromise. As of time of publication, a replacement for MD5 has not been committed to the free-one-api GitHub repository.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/RockChinQ/free-one-api/security/advisories/GHSA-36cc-58vm-wm4h
Various Sources x_refsource_misc
https://github.com/RockChinQ/free-one-api/blob/4d6ee42ffbb224b95be32c26cabc28d54d01bf78/web/src/main.js#L15
Scores
CVSS v4
6.9
EPSS
0.0032
EPSS Percentile
23.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-328
Status
published
Products (1)
RockChinQ/free-one-api
<= 1.0.1
Published
Dec 30, 2024
Tracked Since
Feb 18, 2026