Werkzeug debugger reachable from the network
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
app.run(host='0.0.0.0', debug=True) (or host='::') binds the dev server to every network interface while the Werkzeug interactive debugger is on. The debugger has no authentication by default in older Werkzeug releases and only a client-side PIN in newer ones, and both have public bypass techniques; either way this is remote code execution for anyone who can reach the port.
Why it matters
Binding to 0.0.0.0 or :: makes the dev server reachable from every network interface, not just the machine it runs on, and combining that with debug=True means the Werkzeug interactive debugger is reachable too. Older Werkzeug versions ship the debugger with no authentication at all, and newer ones use a PIN that is derived from machine-identifying values an attacker on the same network can often reconstruct. Either way, this is a documented path to remote code execution, not a theoretical one.
How to fix it
Never combine host="0.0.0.0" (or "::") with debug=True. For local development that needs to be reachable from another device, bind to all interfaces without debug mode, or keep debug mode and bind only to 127.0.0.1. For anything that behaves like production, run behind gunicorn/uWSGI/waitress with debug off entirely.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo