7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34069

GHSA ID

GHSA-2g68-c3qc-8985

EPSS Score

0.37264%

CWE

CWE-352

Published

5/6/2024

Updated

2/21/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34069

CVE-2024-34069: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34069

GHSA ID

GHSA-2g68-c3qc-8985

EPSS Score

0.37264%

CWE

CWE-352

Published

5/6/2024

Updated

2/21/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Werkzeug	pip	< 3.0.3	3.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allowed remote code execution via the Werkzeug debugger if an attacker could make a developer's browser send requests to the debugger, even if running on localhost. The core issue was the lack of validation of the 'Host' header for requests made to the debugger's various functionalities. The provided commit (3386395b24c7371db11a5b8eaac0c91da5362692) introduces checks for trusted_hosts in several methods of the DebuggedApplication class. The functions listed as vulnerable are those methods within DebuggedApplication that, prior to this patch, handled debugger operations (like displaying the console, executing commands, PIN authentication, and rendering the debugger UI with evalex enabled) without verifying the requesting host. The patch_evidence points to the newly added check_host_trust calls, implying their absence was the vulnerability. The __call__ method is included as it's the main entry point that dispatches to these other vulnerable methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ***u***r in *****t** v*rsions o* W*rkz*u* **n *llow *n *tt**k*r to *x**ut* *o** on * **v*lop*r's m***in* un**r som* *ir*umst*n**s. T*is r*quir*s t** *tt**k*r to **t t** **v*lop*r to int*r**t wit* * *om*in *n* su**om*in t**y *ontrol, *n* *nt*r t**

Reasoning

T** vuln*r**ility *llow** r*mot* *o** *x**ution vi* t** W*rkz*u* ***u***r i* *n *tt**k*r *oul* m*k* * **v*lop*r's *rows*r s*n* r*qu*sts to t** ***u***r, *v*n i* runnin* on lo**l*ost. T** *or* issu* w*s t** l**k o* v*li**tion o* t** '*ost' *****r *or

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-34069: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI