CVE-2024-34069 – This vulnerability in Werkzeug's debugger allow... (How to Fix)

📋 TL;DR

This vulnerability in Werkzeug's debugger allows attackers to execute arbitrary code on a developer's machine if they can trick the developer into interacting with a controlled domain/subdomain and entering the debugger PIN. It affects developers using Werkzeug's debugger feature in vulnerable versions. Successful exploitation requires the attacker to also guess a URL in the developer's application that triggers the debugger.

💻 Affected Systems

Products:

Werkzeug

Versions: Versions before 3.0.3

Operating Systems: All operating systems running Python

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when debugger is enabled (typically in development environments, not production).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on developer's machine, potentially leading to complete system compromise, data theft, or lateral movement within the development environment.

🟠

Likely Case

Limited code execution in the context of the debugger process, potentially allowing file access, credential theft, or further privilege escalation.

🟢

If Mitigated

No impact if debugger is disabled or proper network segmentation prevents external access to development environments.

🌐 Internet-Facing: MEDIUM - Requires specific conditions: debugger enabled, developer interaction with malicious domain, and attacker guessing correct URL.

🏢 Internal Only: MEDIUM - Same conditions apply internally; risk exists if internal attackers can trick developers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering (getting developer to interact with malicious domain) and guessing application URLs that trigger debugger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.3

Vendor Advisory: https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985

Restart Required: Yes

Instructions:

1. Update Werkzeug: pip install --upgrade werkzeug==3.0.3
2. Restart your Python application
3. Verify the update with: pip show werkzeug

🔧 Temporary Workarounds

Disable Debugger

all

Disable the Werkzeug debugger in all environments, especially production.

Set debug=False in Flask app configuration or ensure debugger is not enabled

Network Isolation

all

Ensure debugger is only accessible on localhost with proper firewall rules.

Configure firewall to block external access to debugger port (typically 5000)

🧯 If You Can't Patch

Disable Werkzeug debugger entirely in all environments
Implement strict network segmentation to isolate development environments from production and external networks

🔍 How to Verify

Check if Vulnerable:

Check Werkzeug version: pip show werkzeug | grep Version. If version is below 3.0.3 and debugger is enabled, system is vulnerable.

Check Version:

pip show werkzeug | grep Version

Verify Fix Applied:

Verify Werkzeug version is 3.0.3 or higher: pip show werkzeug | grep Version

📡 Detection & Monitoring

Log Indicators:

Unexpected debugger activation from unusual IPs
Multiple failed PIN attempts in debugger logs
Debugger access from non-localhost addresses

Network Indicators:

External connections to debugger port (typically 5000)
DNS requests to suspicious domains from development systems

SIEM Query:

source="werkzeug" AND ("Debugger PIN" OR "debugger") AND src_ip!=127.0.0.1

📊 Metadata

CVE ID: CVE-2024-34069

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: May 6, 2024

Last Updated: December 3, 2025

🔗 References

https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692 Patch
https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985 Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/ Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20240614-0004/ Third Party Advisory
https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692 Patch
https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985 Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/02/msg00026.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/ Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20240614-0004/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34069, you might also want to check these: