GHSA-vg9h-jx4v-cwx2: Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure)

January 29, 2026

The Unfurl web app enables Flask debug mode even when configuration sets debug = False. The config value is read as a string and passed directly to app.run(debug=...), so any non-empty string evaluates truthy. This leaves the Werkzeug debugger active by default.

References

github.com/advisories/GHSA-vg9h-jx4v-cwx2
github.com/obsidianforensics/unfurl
github.com/obsidianforensics/unfurl/commit/4c0a07ab1e9af3a1ddf0e7f47153ec9ba77946dd
github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2

Code Behaviors & Features

Detect and mitigate GHSA-vg9h-jx4v-cwx2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →