Skip to content

[BugFix] [Vul] Add missing usedforsecurity=False in MD5 hashing to enable FIPS #18319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 19, 2025
Merged

[BugFix] [Vul] Add missing usedforsecurity=False in MD5 hashing to enable FIPS #18319

merged 6 commits into from
May 19, 2025

Conversation

@shaoyuyoung
Copy link
Contributor

@shaoyuyoung shaoyuyoung commented May 18, 2025
edited by github-actions bot
Loading

A supplement to the previous PR (#17043).
When it comes to MD5 hashing, we might meet the two problems below:

  • It is an unsafe hashing algorithm, please refer to CWE-327
  • As a result, when using vLLM (consisting of MD5 hashing without usedforsecurity=False) on FIPS, the program throws ValueError.

Solution: add the param usedforsecurity=False for hashlib.md5

BTW, I think we should add this vul pattern into vLLM CI check, avoiding the new unsafe use of md5 hashing to be introduced to the codebase.
FIX #18318

Warning
usedforsecurity=False is a "do not explode in FIPS mode" flag to make software FIPS tolerant, not making the code comply with FIPS.

@github-actions
Copy link

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

🚀

@mergify mergify bot added the v1 label May 18, 2025
@shaoyuyoung
Copy link
Contributor Author

I'm very sorry that some checking mechanisms were triggered when I updated the branch

@shaoyuyoung
Copy link
Contributor Author

shaoyuyoung commented May 18, 2025
edited
Loading

v1 label can be removed

@shaoyuyoung
Copy link
Contributor Author

shaoyuyoung commented May 18, 2025
edited
Loading

cc @russellb, mind taking a look at this? thanks! :)

@robertgshaw2-redhat robertgshaw2-redhat enabled auto-merge (squash) May 18, 2025 13:46
@github-actions github-actions bot added the ready ONLY add when PR is ready to merge/full CI is needed label May 18, 2025
@robertgshaw2-redhat
Copy link
Collaborator

Thanks @shaoyuyoung

@robertgshaw2-redhat
Copy link
Collaborator

Would you be make the CI check to avoid future actions that break FIPS compliance?

@shaoyuyoung
Copy link
Contributor Author

Would you be make the CI check to avoid future actions that break FIPS compliance?

Sure thing! :)
But plz give me some time to understand vllm CI. I will send PR once I'm ready :)

@shaoyuyoung
Copy link
Contributor Author

The previous CI seemed to trigger a Docker error. I'm not sure whether it is my issue. Can we rerun the CI?

@vllm-bot vllm-bot merged commit d637b96 into vllm-project:main May 19, 2025
61 of 63 checks passed
@shaoyuyoung shaoyuyoung deleted the fix_md5_hashing branch May 19, 2025 09:44
@shaoyuyoung
Copy link
Contributor Author

Warning
As @tiran mentioned, usedforsecurity=False is a "do not explode in FIPS mode" flag to make software FIPS tolerant, not making the code comply with FIPS.

zzzyq pushed a commit to zzzyq/vllm that referenced this pull request May 24, 2025
@shaoyuyoung @cascade812
[BugFix] [Vul] Add missing usedforsecurity=False in MD5 hashing to …
e3e7a57 
…enable FIPS (vllm-project#18319)

Signed-off-by: cascade812 <[email protected]>
Signed-off-by: shaoyuyoung <[email protected]>
Co-authored-by: cascade <[email protected]>
Signed-off-by: Yuqi Zhang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robertgshaw2-redhat robertgshaw2-redhat robertgshaw2-redhat approved these changes

@WoosukKwon WoosukKwon Awaiting requested review from WoosukKwon

@njhill njhill Awaiting requested review from njhill

@ywang96 ywang96 Awaiting requested review from ywang96

@comaniac comaniac Awaiting requested review from comaniac

@alexm-redhat alexm-redhat Awaiting requested review from alexm-redhat

Assignees

No one assigned

Labels

ready ONLY add when PR is ready to merge/full CI is needed v1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] [Vul]: weak use of MD5 hashing in vLLM

4 participants

@shaoyuyoung @robertgshaw2-redhat @vllm-bot @cascade812