SYM_PY_0131 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Exposure of Resource to Wrong Sphere
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-668: Exposure of Resource to Wrong Sphere |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Calling app.run() at the top level of a Flask application (outside of a main guard or function) can cause the server to start unintentionally when the module is imported, not just when executed directly. This can lead to the app running in the wrong context or being exposed unexpectedly.
Impact
If app.run() is triggered unintentionally, it could expose the Flask server to unauthorized users or environments, potentially leaking sensitive data or allowing attackers to interact with internal services. This could result in broken access controls or unplanned resource exposure, increasing the risk of security breaches.