Executive Summary

This vulnerability exists in Unfurl through version 2025.08 and involves improper input validation during configuration parsing.

Specifically, the debug configuration value is read as a string and passed directly to the Flask app's run method (app.run()). Because any non-empty string evaluates as true in this context, Flask debug mode is enabled by default.

This allows attackers to access the Werkzeug debugger, which can disclose sensitive information or even allow remote code execution.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can have severe impacts including unauthorized access to sensitive information and the potential for remote code execution.

• Attackers can exploit the enabled Flask debug mode to gain access to the Werkzeug debugger.
• Sensitive information disclosure can occur through the debugger interface.
• Remote code execution can be achieved, potentially allowing attackers to take control of the affected system.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to access the Werkzeug debugger, potentially disclosing sensitive information or enabling remote code execution. Such exposure of sensitive data and unauthorized system control can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and health information confidentiality and system security.

Therefore, the presence of this vulnerability in Unfurl through 2025.08 could negatively impact compliance with these common standards and regulations by increasing the risk of data breaches and unauthorized access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Unfurl application is running with Flask debug mode enabled despite configuration settings intended to disable it. A proof-of-concept (PoC) script named `security_poc/poc_debug_mode.py` is available which performs two types of checks: a local spawn check that runs the Unfurl server with a temporary config file and inspects server logs for messages like "Debug mode: on" or "Debugger is active!", and a remote probe that attempts to detect debug indicators by sending HTTP requests to the target URL and looking for Werkzeug debugger traces in the responses.

To detect this manually, you can look for log messages indicating debug mode activation or send HTTP requests to the Unfurl server and inspect the responses for signs of the Werkzeug debugger interface.

• Run the Unfurl server locally with a config file setting `debug = False` and check logs for "Debug mode: on" or "Debugger is active!".
• Use curl or similar tools to send requests to the Unfurl server URL and inspect the HTTP response for debugger traces or stack traces indicative of Werkzeug debugger exposure.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Unfurl service to trusted internal networks only, ensuring it is not exposed to the public internet or untrusted networks, especially if it is bound to 0.0.0.0 or behind a reverse proxy.

Since no patched versions are available at the time of the advisory, it is critical to limit network exposure and monitor for any suspicious activity related to the Werkzeug debugger interface.

Additionally, review and modify the configuration to avoid passing the debug value as a string that evaluates to true, or consider disabling the debug mode explicitly in the application code if possible.

Useful 0 Not Useful 0