保護DataHogo
Security Encyclopedia/Race Conditions & Logic
lowCWE-200A05:2021

Feature Flags Exposed

Feature flags included in the frontend JavaScript bundle reveal unreleased features, internal testing configurations, and potential attack surfaces to anyone inspecting the code.

How It Works

Feature flags control which features are enabled for different users or environments. When these flags are bundled into client-side JavaScript, anyone can view them in the browser's developer tools or by reading the JavaScript source. This reveals unreleased features that may have incomplete security controls, A/B test configurations that leak business strategy, internal-only features that should never be accessible to regular users, and sometimes even admin or debug flags that can be toggled by modifying localStorage or cookies. While the flags themselves may not be directly exploitable, the information they reveal helps attackers identify soft targets.

Vulnerable Code
// config/features.ts - bundled into client JS
export const FEATURES = {
  ENABLE_NEW_CHECKOUT: true,
  ADMIN_PANEL_V2: false,
  SKIP_RATE_LIMITING: process.env.NODE_ENV === 'development',
  INTERNAL_DEBUG_MODE: false,
  UNRELEASED_AI_FEATURE: false
};
Secure Code
// Server-side only feature evaluation
export async function getFeatureFlags(userId: string) {
  const flags = await featureFlagService.evaluate(userId);
  // Only return flags relevant to this user
  return {
    enableNewCheckout: flags.ENABLE_NEW_CHECKOUT,
    showAiFeature: flags.UNRELEASED_AI_FEATURE
  };
  // ADMIN_PANEL_V2, SKIP_RATE_LIMITING never sent to client
}

Real-World Example

In 2020, researchers found that multiple SaaS companies exposed feature flags in their frontend bundles, revealing upcoming products months before launch. One fintech company's exposed flags included BYPASS_KYC_CHECK, which when enabled via browser console, allowed attackers to skip identity verification steps.

How to Prevent It

  • Evaluate feature flags server-side and only send the result (not flag names) to the client
  • Never include admin, debug, or security-bypass flags in frontend code
  • Use a feature flag service (LaunchDarkly, Unleash) that evaluates flags server-side
  • Audit your JavaScript bundles regularly for leaked configuration data

Affected Technologies

Node.jsReactNext.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Race Condition in Payments

high

Read-modify-write payment operations without database transactions allow attackers to exploit timing windows and spend the same balance multiple times.

CWE-362A04:2021

Price Manipulation

critical

Accepting prices from the client instead of looking them up server-side allows attackers to modify checkout requests and purchase items at any price they choose.

CWE-472A04:2021

Debug Routes in Production

medium

Development and testing routes like /debug, /test, /seed, or /api/dev left active in production expose internal data, bypass authentication, or allow state manipulation.

CWE-489A05:2021

Privilege Escalation

high

Profile update endpoints that accept role or permission fields from the request body allow users to promote themselves to admin by adding role: 'admin' to their update request.

CWE-269A01:2021