Will It Vibe logoWill It Vibe?
FLASK-002Critical severity-25 points

Werkzeug debugger reachable from the network

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

app.run(host='0.0.0.0', debug=True) (or host='::') binds the dev server to every network interface while the Werkzeug interactive debugger is on. The debugger has no authentication by default in older Werkzeug releases and only a client-side PIN in newer ones, and both have public bypass techniques; either way this is remote code execution for anyone who can reach the port.

Why it matters

Binding to 0.0.0.0 or :: makes the dev server reachable from every network interface, not just the machine it runs on, and combining that with debug=True means the Werkzeug interactive debugger is reachable too. Older Werkzeug versions ship the debugger with no authentication at all, and newer ones use a PIN that is derived from machine-identifying values an attacker on the same network can often reconstruct. Either way, this is a documented path to remote code execution, not a theoretical one.

How to fix it

Never combine host="0.0.0.0" (or "::") with debug=True. For local development that needs to be reachable from another device, bind to all interfaces without debug mode, or keep debug mode and bind only to 127.0.0.1. For anything that behaves like production, run behind gunicorn/uWSGI/waitress with debug off entirely.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks