保護DataHogo
Security Encyclopedia/Deployment Best Practices
mediumCWE-215A05:2021

Debug Mode Active in Production

Debug mode enabled in production exposes internal state, enables verbose logging, and sometimes activates interactive debugging endpoints that attackers can exploit.

How It Works

Debug flags in frameworks and tools like Django, Flask, Express-debug, and Node.js's --inspect activate additional behavior: verbose error pages, query logging, memory inspection endpoints, or interactive REPLs. In production, these become information disclosure and remote code execution vulnerabilities.

Vulnerable Code
// BAD: debug flags left on in production config
// next.config.ts
const config = {
  debug: true,  // logs internal Next.js operations
};
// Or: starting Node with --inspect=0.0.0.0:9229 (binds debugger to all interfaces!)
Secure Code
// GOOD: debug features conditional on environment
// next.config.ts
const config = {
  debug: process.env.NODE_ENV !== 'production',
};
// Never start production servers with --inspect or --inspect-brk
// Use remote debugging only with a secure tunnel (not open to the internet)

Real-World Example

CVE-2019-13139 and related issues showed that Docker builds with --debug or exposed daemon sockets allowed remote code execution. Node.js inspector on 0.0.0.0:9229 has been exploited in cloud environments where port 9229 was reachable.

How to Prevent It

  • Never pass --inspect or --inspect-brk to node in production
  • Make all debug flags conditional on NODE_ENV !== 'production'
  • Audit your process manager config (PM2, supervisor) for debug flags
  • If you need remote debugging, use a secure SSH tunnel — never expose the debug port directly

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

NODE_ENV Not Set to Production

medium

Running Node.js without NODE_ENV=production enables verbose error messages, disables caching optimizations, and can activate development-only middleware.

CWE-16A05:2021

No Health Check Endpoint

low

Without a /health endpoint, load balancers and orchestrators can't verify your application is actually working before routing traffic to it.

CWE-778

No Error Monitoring

low

Without error monitoring, production errors are invisible until a user reports them — which most never do.

CWE-778A09:2021

Dev Environment Variables in Production

high

Using development credentials (test API keys, local database URLs, sandbox payment keys) in production puts real users at risk.

CWE-547A05:2021