Unfurl Improper Input Validation Vulnerability Leading to Debug Mode Activation and Werkzeug Debugger Exposure

A vulnerability exists in Unfurl versions through 2025.08, where improper input validation in configuration parsing enables Flask debug mode by default. The issue arises because the debug setting is read as a string and directly passed to app.run(), causing any non-empty string to be evaluated as true. This unintended behavior allows attackers to access the Werkzeug debugger, potentially disclosing sensitive information or leading to remote code execution.

Impact

Exploitation of this vulnerability, particularly if the service is exposed beyond localhost, allows access to the Werkzeug debugger. This could result in the disclosure of sensitive information and remote code execution, especially if a debugger PIN is obtained. At a minimum, the vulnerability exposes stack traces and environment details on errors.

Reproduction

To reproduce this vulnerability, create a local 'unfurl.ini' file under the '[UNFURL_APP]' section with 'debug = False'. Run the Unfurl server, and observe the logs, which will indicate that debug mode is active. Alternatively, the provided PoC script can be used to automate this check.