CVE-2024-36105
Description
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to INADDR_ANY (0.0.0.0) or IN6ADDR_ANY (::) exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: '' represents INADDR_ANY, equivalent to "0.0.0.0". On systems with IPv6, '' represents IN6ADDR_ANY, which is equivalent to "::". A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in dbt docs serve.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dbt-corePyPI | < 1.6.15 | 1.6.15 |
dbt-corePyPI | >= 1.7.0, < 1.7.15 | 1.7.15 |
dbt-corePyPI | >= 1.8.0, < 1.8.1 | 1.8.1 |
Patches
40c08d7a19ad1change port bind and add a unittest (#10208)
4 files changed · +30 −1
.changes/unreleased/Security-20240522-094540.yaml+6 −0 added@@ -0,0 +1,6 @@ +kind: Security +body: Explicitly bind to localhost in docs serve +time: 2024-05-22T09:45:40.748185-04:00 +custom: + Author: ChenyuLInx michelleark + Issue: "10209"
core/dbt/task/docs/serve.py+1 −1 modified@@ -20,7 +20,7 @@ def run(self): if self.args.browser: webbrowser.open_new_tab(f"http://localhost:{port}") - with socketserver.TCPServer(("", port), SimpleHTTPRequestHandler) as httpd: + with socketserver.TCPServer(("127.0.0.1", port), SimpleHTTPRequestHandler) as httpd: click.echo(f"Serving docs at {port}") click.echo(f"To access from your browser, navigate to: http://localhost:{port}") click.echo("\n\n")
tests/unit/task/docs/__init__.py+0 −0 addedtests/unit/task/docs/test_serve.py+23 −0 added@@ -0,0 +1,23 @@ +from http.server import SimpleHTTPRequestHandler +from unittest.mock import MagicMock, patch + +import pytest + +from dbt.task.docs.serve import ServeTask + + +@pytest.fixture +def serve_task(): + # Set up + task = ServeTask(config=MagicMock(), args=MagicMock()) + task.config.project_target_path = "." + task.args.port = 8000 + return task + + +def test_serve_bind_to_127(serve_task): + serve_task.args.browser = False + with patch("dbt.task.docs.serve.socketserver.TCPServer") as patched_TCPServer: + patched_TCPServer.return_value = MagicMock() + serve_task.run() + patched_TCPServer.assert_called_once_with(("127.0.0.1", 8000), SimpleHTTPRequestHandler)
86f5cb19497672b0f86fa6f648a3a098ed12Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-pmrx-695r-4349ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-36105ghsaADVISORY
- cwe.mitre.org/data/definitions/1327.htmlnvdWEB
- docs.python.org/3/library/socket.htmlnvdWEB
- docs.securesauce.dev/rules/PY030nvdWEB
- github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.pynvdWEB
- github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7nvdWEB
- github.com/dbt-labs/dbt-core/issues/10209nvdWEB
- github.com/dbt-labs/dbt-core/pull/10208nvdWEB
- github.com/dbt-labs/dbt-core/releases/tag/v1.6.15nvdWEB
- github.com/dbt-labs/dbt-core/releases/tag/v1.7.15nvdWEB
- github.com/dbt-labs/dbt-core/releases/tag/v1.8.1nvdWEB
- github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349nvdWEB
News mentions
0No linked articles in our index yet.