CVE-2024-29886

Name of the Vulnerable Software and Affected Versions Serverpod versions prior to 1.2.6

Description An issue was identified with the old password hash algorithm used by Serverpod, making it susceptible to rainbow attacks if the database was compromised. The vulnerability is addressed by switching to the OWASP-recommended Argon2Id password hash algorithm.

Recommendations For versions prior to 1.2.6, upgrade to version 1.2.6 to resolve the issue. To migrate existing password hashes, call the Emails.migrateLegacyPasswordHashes() function with a session instance as an argument. This method can be implemented as part of starting the server or by creating a web server route that can be called remotely.