@Sandfish6811 I can't dive deeper into this rn, but the linked GHSA confirms the essence of the vulnerability and the way it was introduced.
I checked and you are right that the hash is not sent back during auth, I'll probably leave a comment about this on /r/ so they can clarify.