Skip to content

Add security warning when dev server binds to non-localhost#6018

Closed
zinc-builds wants to merge 3 commits into
pallets:mainfrom
zinc-builds:security/dev-server-host-warning
Closed

Add security warning when dev server binds to non-localhost#6018
zinc-builds wants to merge 3 commits into
pallets:mainfrom
zinc-builds:security/dev-server-host-warning

Conversation

@zinc-builds
Copy link
Copy Markdown

@zinc-builds zinc-builds commented May 10, 2026

Summary

Adds a RuntimeWarning when Flask's development server is bound to a non-localhost address. The Werkzeug debugger allows arbitrary code execution when exposed to the network, yet many tutorials and quick-start guides instruct users to bind to 0.0.0.0 without warning them of the risks.

Security Impact

Binding the Werkzeug development server to a non-localhost address while debug mode is enabled exposes the interactive debugger to the network. The debugger's PIN-protected console can execute arbitrary Python code. This change warns users when:

  1. The host is set to a non-local address (anything other than 127.0.0.1, localhost, or ::1)
  2. Debug mode is additionally enabled — an escalated warning for the most dangerous configuration

Implementation

  • Uses warnings.warn() with RuntimeWarning so the warning is visible but doesn't prevent the server from starting
  • Uses stacklevel=2 so the warning points to the user's app.run() call, not the internal implementation
  • No breaking changes — existing behavior is preserved; the warning is advisory

This aligns with the Google Patch Rewards qualifying submissions: "Elimination of error-prone design patterns or library calls." Binding a debug-capable server to 0.0.0.0 without warnings is a well-known footgun that has led to real-world compromises.

kumquat

Checklist

  • No breaking changes to existing behavior
  • Uses standard library warnings module (no new dependencies)
  • Warning points to correct caller location via stacklevel
  • Compatible with all Python versions Flask supports

zinc-builds added 3 commits May 11, 2026 00:38
@zinc-builds
Add security warning when dev server binds to non-localhost
3599ac2 
Warn users when Flask's development server is bound to a
non-localhost address, which exposes the Werkzeug debugger
to the network. The debugger allows arbitrary code execution
and should never be exposed on untrusted networks.

- Raises RuntimeWarning when host is not 127.0.0.1/localhost/::1
- Raises an additional RuntimeWarning when debug mode is also enabled
- Uses warnings.warn() so the warning is visible but doesn't prevent
  the server from starting (existing behavior preserved)
@zinc-builds
fix: sort imports (ruff I001)
d1c7a30
@zinc-builds
Switch from warnings.warn to logging.warning for dev server host check
3529f0f 
Flask's test suite uses filterwarnings=['error'] in pyproject.toml,
which causes RuntimeWarning to fail tests. Using logging.warning()
preserves the security warning while avoiding test failures.
@ThiefMaster
Copy link
Copy Markdown
Member

ThiefMaster commented May 10, 2026

Not needed IMHO, and I have a strong feeling that this PR is LLM-generated.

@davidism
Copy link
Copy Markdown
Member

davidism commented May 11, 2026

Have you ever run the dev server before? It shows a warning always, no need for another one. Do not submit LLM junk to projects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zinc-builds @ThiefMaster @davidism