CWE · MITRE source
CWE-759Use of a One-Way Hash without a Salt
The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables. It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AT-5 | Contacts with Security Groups and Associations | AT | Security associations provide guidance on proper one-way hash usage including salting, reducing the chance of unsalted implementations. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-10205 | 1.8 | 8.8 | 0.0001 | 2025-09-17 |
CVE-2020-16244 | 1.5 | 7.2 | 0.0024 | 2020-09-23 |
CVE-2025-34208 | 1.5 | 7.5 | 0.0008 | 2025-10-02 |
CVE-2023-1430 | 1.4 | 6.5 | 0.0160 | 2023-06-09 |
CVE-2024-36440 | 1.4 | 6.8 | 0.0004 | 2024-08-22 |
CVE-2020-25164 | 1.3 | 6.5 | 0.0010 | 2022-04-14 |
CVE-2021-21253 | 1.2 | 5.8 | 0.0011 | 2021-01-21 |
CVE-2025-36253 | 1.2 | 5.9 | 0.0001 | 2026-02-02 |
CVE-2025-53884 | 1.1 | 5.3 | 0.0002 | 2025-09-17 |
CVE-2024-8453 | 1.0 | 4.9 | 0.0012 | 2024-09-30 |
CVE-2025-27408 | 1.0 | 4.8 | 0.0006 | 2025-02-28 |
CVE-2023-33838 | 0.9 | 4.4 | 0.0003 | 2025-01-29 |
CVE-2025-5922 | 0.0 | 0.0 | 0.0001 | 2025-07-29 |