CVE-2024-34069
Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution
In short
Werkzeug's debugger can be exploited by attackers to run malicious code on a developer's computer if the developer visits an attacker-controlled website and enters the debugger PIN. This is dangerous because it gives attackers direct access to run commands on the developer's machine.
Technical detail
A CSRF protection bypass (CWE-352) combined with improper pathname handling in Werkzeug's debugger allows remote code execution. The attack requires social engineering to trick a developer into visiting an attacker-controlled domain, entering the debugger PIN, and guessing a URL that triggers the debugger; successful exploitation grants arbitrary code execution even when the debugger is bound to localhost.
Summary generated and translated by AI from the official description.
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
pallets · werkzeugWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985https://lists.debian.org/debian-lts-announce/2025/02/msg00026.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/https://security.netapp.com/advisory/ntap-20240614-0004/