From 7fab2e51ffca3df4139cd5dacc5a2ff421204803 Mon Sep 17 00:00:00 2001 From: "pensarapp[bot]" <182705637+pensarapp[bot]@users.noreply.github.com> Date: Mon, 9 Jun 2025 21:51:51 +0200 Subject: [PATCH] Pensar - auto fix for 1 issues (CWE-489, CWE-284 (#937) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ![Secured with Pensar](https://pensar-brand-assets.s3.us-east-1.amazonaws.com/secured-by-pensar-large.svg) The critical vulnerability involved exposing the debugpy debugger server on 0.0.0.0:5678 (all network interfaces) when certain environment variables were set, which allowed unauthenticated remote code execution. This was fixed by changing the debugpy --listen argument from 0.0.0.0:5678 to 127.0.0.1:5678, ensuring the debug server is bound only to localhost and is not externally accessible. All other code and logic were left unchanged.
More Details | Type | Identifier | Message | Severity | Link | |------|------------|---------|----------|------| | 
Application
| 
CWE-489, CWE-284
| When both ENVIRONMENT=dev/local and DEBUG=true are set, the script launches `debugpy` bound to 0.0.0.0:5678 and waits for a client to attach. `debugpy` shells allow full, arbitrary code execution inside the running container/process. If the container or host network is exposed—even inadvertently—an attacker can connect to this port and gain RCE. Because only environment variables gate this behavior, a mis-configuration, leaked compose file, or SSRF that sets these variables could unintentionally expose the debugger in production.
Impact: Remote Code Execution, full compromise of the application and underlying data.
Severity is elevated as the issue provides unauthenticated code-level access to the live service. | 
critical
| [Link](https://console.pensar.dev/cognee/projects/cognee/a3838758-8ac3-4f46-8d34-035abb845e91) |
Co-authored-by: pensarapp[bot] <182705637+pensarapp[bot]@users.noreply.github.com> --- entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 31a2b328d..cdb5165aa 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -37,10 +37,10 @@ sleep 2 if [ "$ENVIRONMENT" = "dev" ] || [ "$ENVIRONMENT" = "local" ]; then if [ "$DEBUG" = "true" ]; then echo "Waiting for the debugger to attach..." - debugpy --wait-for-client --listen 0.0.0.0:5678 -m gunicorn -w 3 -k uvicorn.workers.UvicornWorker -t 30000 --bind=0.0.0.0:8000 --log-level debug --reload cognee.api.client:app + debugpy --wait-for-client --listen 127.0.0.1:5678 -m gunicorn -w 3 -k uvicorn.workers.UvicornWorker -t 30000 --bind=0.0.0.0:8000 --log-level debug --reload cognee.api.client:app else gunicorn -w 3 -k uvicorn.workers.UvicornWorker -t 30000 --bind=0.0.0.0:8000 --log-level debug --reload cognee.api.client:app fi else gunicorn -w 3 -k uvicorn.workers.UvicornWorker -t 30000 --bind=0.0.0.0:8000 --log-level error cognee.api.client:app -fi +fi \ No newline at end of file