{"id":2919,"date":"2026-01-16T22:34:24","date_gmt":"2026-01-17T03:34:24","guid":{"rendered":"https:\/\/csimmons.dev\/blog\/?p=2919"},"modified":"2026-02-05T22:59:24","modified_gmt":"2026-02-06T03:59:24","slug":"coldfusion-hash-defaults-changed-heres-how-to-fix-it-with-regex","status":"publish","type":"post","link":"https:\/\/csimmons.dev\/blog\/2026\/01\/coldfusion-hash-defaults-changed-heres-how-to-fix-it-with-regex\/","title":{"rendered":"ColdFusion Hash() Defaults Changed \u2014 Here\u2019s How to Fix It With Regex"},"content":{"rendered":"<div>Starting with ColdFusion 2021 Update 14 and ColdFusion 2023 Update 8, the default hashing algorithm changed from CFMX_COMPAT to SHA-256.<\/div>\n<p>Any code relying on Hash(value) without explicitly specifying the algorithm can:<\/p>\n<ul>\n<li>Behave differently after an upgrade<\/li>\n<li>Break verification logic<\/li>\n<li>Trigger security scanner findings (Fixinator)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/fixinator.app\/\" target=\"_blank\" rel=\"noopener\">Fixinator<\/a> provides the following warning:<\/p>\n<blockquote>\n<div>Use of a weak hashing algorithm such as MD5 (the algorithm used by CFMX_COMPAT). This can also be a compatibility issue (after CF2023 update 8 and CF2021 update 14) if the hash algorithm is not specified. The default has changed from CFMX_COMPAT to SHA-256 in those releases.<\/div>\n<\/blockquote>\n<div>In CFML, Hash() can appear in two contexts:<\/div>\n<ol>\n<li>Output expressions: <code>#Hash(value)#<\/code><\/li>\n<li>Script\/logic: <code>Hash(value)<\/code><\/li>\n<\/ol>\n<p>Any global refactor must account for both forms. It took me a few iterations to get what I needed.<\/p>\n<p>This article demonstrates how to perform a global search and replace using REGEX in VS Code.<\/p>\n<p><strong>Note(s):<\/strong><\/p>\n<ul>\n<li>In the VS Code search panel REGEX is enabled with the <code>.*<\/code> icon to the right of the search input.<\/li>\n<li>The ColdFusion app I was working with used only <code>Hash()<\/code> and not <code>hash()<\/code>.<\/li>\n<li>You could use a case insensitive search with the REGEX from Iteration 3 with &#8220;Preserve Case&#8221; for the replace input to account for <code>Hash()<\/code> vs <code>hash()<\/code> if necessary.<\/li>\n<li>Your mileage may vary on this solution.<\/li>\n<\/ul>\n<h2>WARNING<\/h2>\n<p><strong>PLEASE PREVIEW THE RESULTS OF YOUR SEARCHES BEFORE DOING THE REPLACE.<\/strong><\/p>\n<hr \/>\n<h2>Iteration 1<\/h2>\n<p>This was my first attempt.<\/p>\n<p><strong>Search:<\/strong> <code>#Hash\\(\\s*([^)]*?)\\s*\\)#<\/code><br \/>\n<strong>Replace:<\/strong> <code>#Hash($1, \"SHA-256\", \"UTF-8\")#<\/code><br \/>\n<strong>Bad Match:<\/strong> <code>&lt;a href=\"edit.cfm?newsID=#qData.newsID#&amp;verifyID=#Hash(qData.newsID, \"&gt;Edit&lt;\/a&gt;<\/code><br \/>\n<strong>Bad Result:<\/strong> <code>&lt;a href=\"edit.cfm?newsID=#qData.newsID#&amp;verifyID=#Hash(qData.newsID, \"&gt;Edit&lt;\/a&gt;<\/code><br \/>\n<strong>Why it&#8217;s bad:<\/strong> Caused incorrect code if the algorithm argument already existed.<\/p>\n<h2>Iteration 2<\/h2>\n<p>Based on the failure of the first attempt I made the following second attempt.<\/p>\n<p><strong>Search:<\/strong> <code>#Hash\\(\\s*([^,\\)]+)\\s*\\)#<\/code><br \/>\n<strong>Replace:<\/strong> <code>#Hash($1, \"SHA-256\", \"UTF-8\")#<\/code><br \/>\n<strong>Missed Match:<\/strong><\/p>\n<pre>&lt;cfif Hash(URL.newsID) EQ URL.newsID&gt;\n...\n&lt;\/cfif&gt;\n<\/pre>\n<p><strong>Why it&#8217;s bad:<\/strong> No match when there were no pound signs (ie Script\/logic not output)<\/p>\n<h2>Iteration 3<\/h2>\n<p>Third time is a charm!<\/p>\n<p><strong>Search:<\/strong> <code>\\bHash\\(\\s*([^,\\)\\r\\n]+?)\\s*\\)<\/code><br \/>\n<strong>Replace:<\/strong> <code>Hash($1, \"SHA-256\", \"UTF-8\")<\/code><\/p>\n<figure id=\"attachment_2918\" aria-describedby=\"caption-attachment-2918\" style=\"width: 290px\" class=\"wp-caption alignnone\"><img width=\"300\" height=\"82\" data-public-id=\"cfhash-search-and-replace-regex\/cfhash-search-and-replace-regex.png\" loading=\"lazy\" decoding=\"async\" class=\"wp-post-2919 wp-image-2918 size-medium\" src=\"https:\/\/res.cloudinary.com\/ccsimmons\/images\/w_300,h_82,c_scale\/f_auto,q_auto\/v1768619524\/cfhash-search-and-replace-regex\/cfhash-search-and-replace-regex.png?_i=AA\" alt=\"cfhash search and replace regex\" data-crop=\"3.66\" data-format=\"png\" data-transformations=\"f_auto,q_auto\" data-version=\"1768619524\" data-seo=\"1\" srcset=\"https:\/\/res.cloudinary.com\/ccsimmons\/images\/w_300,h_82,c_scale\/f_auto,q_auto\/v1768619524\/cfhash-search-and-replace-regex\/cfhash-search-and-replace-regex.png?_i=AA 300w, https:\/\/res.cloudinary.com\/ccsimmons\/images\/f_auto,q_auto\/v1768619524\/cfhash-search-and-replace-regex\/cfhash-search-and-replace-regex.png?_i=AA 576w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><figcaption id=\"caption-attachment-2918\" class=\"wp-caption-text\">cfhash search and replace with regex vscode screenshot<\/figcaption><\/figure>\n<h2>Conclusion<\/h2>\n<div>YAY! This result yielded 206 corrections throughout the app that would have taken a long time to correct without a REGEX search and replace. This legacy app is 20+ years old so the first goal was compatibility. In a follow up article I&#8217;ll look at improving security with HMAC.<\/div>\n<div><\/div>\n<hr \/>\n<h2><span style=\"color: #ff0000;\">Note<\/span><\/h2>\n<p><span style=\"color: #ff0000;\">This post was amended from &#8220;the default hashing algorithm changed from MD5 to SHA-256&#8221; to &#8220;the default hashing algorithm changed from CFMX_COMPAT to SHA-256&#8221;. Even though they do the same thing the default was technically CFMX_COMPAT.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Starting with ColdFusion 2021 Update 14 and ColdFusion 2023 Update 8, the default hashing algorithm changed from CFMX_COMPAT to SHA-256. Any code relying on Hash(value) without explicitly specifying the algorithm can: Behave differently after an upgrade Break verification logic Trigger security scanner findings (Fixinator) Fixinator provides the following warning: Use of a weak hashing algorithm &#8230; <a title=\"ColdFusion Hash() Defaults Changed \u2014 Here\u2019s How to Fix It With Regex\" class=\"read-more\" href=\"https:\/\/csimmons.dev\/blog\/2026\/01\/coldfusion-hash-defaults-changed-heres-how-to-fix-it-with-regex\/\" aria-label=\"Read more about ColdFusion Hash() Defaults Changed \u2014 Here\u2019s How to Fix It With Regex\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_cloudinary_featured_overwrite":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[68],"tags":[48,12,76,75],"class_list":["post-2919","post","type-post","status-publish","format-standard","hentry","category-developer","tag-coldfusion","tag-developer","tag-fixinator","tag-regex"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pbVg43-L5","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/posts\/2919","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/comments?post=2919"}],"version-history":[{"count":4,"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/posts\/2919\/revisions"}],"predecessor-version":[{"id":2972,"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/posts\/2919\/revisions\/2972"}],"wp:attachment":[{"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/media?parent=2919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/categories?post=2919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/csimmons.dev\/blog\/wp-json\/wp\/v2\/tags?post=2919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}