AIKIDO-2024-10085
Werkzeug is vulnerable to Remote Code Execution (RCE)
80
High Risk
This Affects:
WerkzeugTL;DR
Affected versions of the Werkzeug package can allow an attacker to execute code on a developer's machine under certain circumstances. This requires the attacker to trick the developer into interacting with a domain and subdomain they control, and into entering the debugger PIN. If successful, the attacker can gain access to the debugger, even if it is only running on localhost. Additionally, the attacker must guess a URL in the developer's application that will trigger the debugger.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
Werkzeug is vulnerable to Remote Code Execution (RCE) in versions 1.0 - 3.0.2.
How to fix this
Upgrade the Werkzeug library to the patch version.
Links
GitHub Release
Other
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/security.netapp.com/advisory/ntap-20240614-0004/lists.debian.org/debian-lts-announce/2025/02/msg00026.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant