CVE-2024-34069: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain

May 6, 2024

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer’s machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer’s application that will trigger the debugger.

References

github.com/advisories/GHSA-2g68-c3qc-8985
github.com/pallets/werkzeug
github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692
github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
nvd.nist.gov/vuln/detail/CVE-2024-34069

Detect and mitigate CVE-2024-34069 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →