CVE-2024-34069

Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution

Description

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.05%
Affected: pallets werkzeug
Published at:
Updated at:

References

Link Tags
https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/
https://security.netapp.com/advisory/ntap-20240614-0004/
https://lists.debian.org/debian-lts-announce/2025/02/msg00026.html

Frequently Asked Questions

What is the severity of CVE-2024-34069?
CVE-2024-34069 has been scored as a high severity vulnerability.
How to fix CVE-2024-34069?
To fix CVE-2024-34069, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-34069 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-34069 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-34069?
CVE-2024-34069 affects pallets werkzeug.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.