Cyber Resilience

CVE-2024-34069

High

Published: 06 May 2024

Published
06 May 2024
Modified
03 December 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4365 97.6th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34069 is a high-severity CSRF (CWE-352) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Werkzeug is a WSGI web application library whose interactive debugger is affected by CVE-2024-34069 in versions prior to 3.0.3. The flaw stems from insufficient origin checks that allow an attacker to reach the debugger console even when it is bound only to localhost, provided the developer can be induced to visit a crafted domain and subdomain and supply the PIN.

An unauthenticated remote attacker can exploit the issue by first causing the developer to trigger an exception at a guessed application URL, then using a cross-site request to the debugger endpoint. Successful exploitation grants arbitrary code execution on the developer's workstation with the privileges of the process running the debugger.

The official fix is included in Werkzeug 3.0.3, as referenced in the GitHub security advisory GHSA-2g68-c3qc-8985 and the corresponding commit that hardens debugger origin validation. Downstream vendors have issued coordinated updates through Fedora and NetApp advisories that recommend upgrading to the patched release.

The EPSS score has remained at its peak value of 0.4365 since disclosure, indicating steady but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with…

more

a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability enables remote code execution on a developer's localhost Werkzeug development server by bypassing localhost restrictions in the debugger, triggered via social-engineered interaction with an attacker-controlled domain/subdomain and PIN entry, mapping to exploitation of client-side software vulnerabilities.

Affected Assets

palletsprojects
werkzeug
≤ 3.0.3
debian
debian linux
11.0
fedoraproject
fedora
38, 40

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

addresses: CWE-352

Detects anomalous request patterns consistent with cross-site request forgery.

References