Flask app is run in debug mode¶
ID: py/flask-debug Kind: problem Security severity: 7.5 Severity: error Precision: high Tags: - security - external/cwe/cwe-215 - external/cwe/cwe-489 Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Running a Flask application with debug mode enabled may allow an attacker to gain access through the Werkzeug debugger.
Ensure that Flask applications that are run in a production environment have debugging disabled.
Running the following code starts a Flask webserver that has debugging enabled. By visiting
/crash, it is possible to gain access to the debugger, and run arbitrary code through the interactive debugger.
from flask import Flask app = Flask(__name__) @app.route('/crash') def main(): raise Exception() app.run(debug=True)