---
title: Avoid using the md5 crate for security
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid using the md5 crate for security
---

# Avoid using the md5 crate for security

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `rust-security/avoid-md5-hash`

**Language:** Rust

**Severity:** Warning

**Category:** Security

**CWE**: [328](https://cwe.mitre.org/data/definitions/328.html)

**Related CWEs**:

- [916](https://cwe.mitre.org/data/definitions/916.html)

## Description{% #description %}

The `md5` crate computes MD5 digests. MD5 has been cryptographically broken for over a decade — practical collisions and chosen-prefix attacks are well known — and must not be used for integrity checks, password hashing, signature schemes, or any context where a cryptographic guarantee is required. For non-security checksums such as content addressing or cache keys, MD5 is sometimes acceptable; evaluate the context before suppressing. Use the `sha2` crate (`Sha256`, `Sha512`) or the `sha3` crate for security-sensitive hashing.

#### Learn More{% #learn-more %}

- [CWE-328: Use of Weak Hash](https://cwe.mitre.org/data/definitions/328.html)

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```rust
use md5;
use md5::Digest;
use md5::{compute, Md5};

fn invalid(data: &[u8]) -> [u8; 16] {
    // Top-level convenience function
    let digest = md5::compute(data);

    // Type path through the crate
    let _ = md5::Md5::new();

    digest.into()
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```rust
use sha2::{Digest, Sha256};

fn ok(data: &[u8]) -> Vec<u8> {
    // SHA-256 — appropriate for security-sensitive hashing
    let mut hasher = Sha256::new();
    hasher.update(data);
    hasher.finalize().to_vec()
}

// No md5 usage anywhere in this file
fn unrelated(x: u32) -> u32 {
    x.wrapping_mul(31).wrapping_add(7)
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}