Use of deprecated cryptographic algorithm (RC4)

Description

The use of RC4 is detected. RC4 is deprecated and vulnerable to multiple cryptographic attacks. It is recommended to avoid RC4 entirely and prefer modern secure alternatives such as ChaCha20-Poly1305 for environments without hardware crypto, or AES-256-GCM with unique nonces and authenticated encryption.

Examples

Insecure Code

java

javax.crypto.Cipher.getInstance("RC4");

Secure Code

java

javax.crypto.Cipher.getInstance("ChaCha20-Poly1305");

Remediation

Replace RC4 with a secure alternative like ChaCha20-Poly1305 or AES-256-GCM.

Rule Details

Field	Value
ID	CODE-0665
Category	Crypto
Severity	MEDIUM
CWE	CWE-327
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	cryptographic failure, deprecated algorithm
OWASP	A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures

References

https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Use of deprecated cryptographic algorithm (RC4)

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Use of deprecated cryptographic algorithm (RC4) ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Use of deprecated cryptographic algorithm (RC4)

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References