保護DataHogo
Security Encyclopedia/Race Conditions & Logic
mediumCWE-489A05:2021

Debug Routes in Production

Development and testing routes like /debug, /test, /seed, or /api/dev left active in production expose internal data, bypass authentication, or allow state manipulation.

How It Works

During development, teams create routes for debugging, seeding databases, resetting state, or testing features. These routes often skip authentication, expose internal data structures, or allow destructive operations like database resets. When the application is deployed to production without removing or protecting these routes, attackers can discover them through directory brute-forcing or by reading the source code. Common examples include /debug/config showing environment variables, /api/seed resetting the database, /test/login bypassing authentication, and /admin/phpinfo revealing server configuration. Automated scanners check for hundreds of common debug path patterns.

Vulnerable Code
// Routes left in production
app.get('/debug/config', (req, res) => {
  res.json({ env: process.env, db: dbConfig });
});
app.post('/api/seed', async (req, res) => {
  await db.user.deleteMany();
  await db.user.createMany({ data: seedUsers });
  res.json({ message: 'Database seeded' });
});
Secure Code
// Only register debug routes in development
if (process.env.NODE_ENV === 'development') {
  app.get('/debug/config', (req, res) => {
    res.json({ env: process.env, db: dbConfig });
  });
}
// Better: use a separate debug server on a different port
// Or remove debug routes entirely from production builds

Real-World Example

In 2017, a major US telecom company left a debug endpoint active in production that exposed customer data including names, addresses, and account PINs. The /debug endpoint required no authentication and was discovered by a security researcher, who found it had been publicly accessible for months.

How to Prevent It

  • Gate debug routes behind NODE_ENV === 'development' checks
  • Use middleware to block all /debug, /test, /seed paths in production
  • Run a route audit before every production deployment
  • Use separate debug servers on internal-only ports instead of adding debug routes to the main app

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Race Condition in Payments

high

Read-modify-write payment operations without database transactions allow attackers to exploit timing windows and spend the same balance multiple times.

CWE-362A04:2021

Price Manipulation

critical

Accepting prices from the client instead of looking them up server-side allows attackers to modify checkout requests and purchase items at any price they choose.

CWE-472A04:2021

Feature Flags Exposed

low

Feature flags included in the frontend JavaScript bundle reveal unreleased features, internal testing configurations, and potential attack surfaces to anyone inspecting the code.

CWE-200A05:2021

Privilege Escalation

high

Profile update endpoints that accept role or permission fields from the request body allow users to promote themselves to admin by adding role: 'admin' to their update request.

CWE-269A01:2021