Flask API Runs on Built-In Dev Server with Debug Enabled

[devprashant19]

Component: Flask ML API / DevOps
Files Affected: backend/api.py, run-dev.ps1
Severity: Critical

Description

The Python Flask API relies on app.run(host="0.0.0.0", port=FLASK_PORT, debug=True) to start the server.

1. Debug Mode: Leaving debug=True exposed to a network is a severe vulnerability. The Werkzeug debugger allows arbitrary Python code execution if an attacker triggers a stack trace.
2. Built-in Server: The built-in Flask server is synchronous and meant strictly for local development. It cannot handle concurrent production load efficiently.

Proposed Fix

1. Remove debug=True from app.run().
2. Introduce a production-grade WSGI server (such as gunicorn or waitress) into the Python requirements and modify the startup scripts (run-dev.ps1 or Dockerfiles) to run the app through the WSGI server instead of directly invoking api.py.

[github-actions]

👋 Welcome back! Thanks for your continued contribution. Your issue/PR is received and waiting for maintainer review.

[github-actions]

The report highlights critical security and performance issues in a Flask API, which uses the built-in development server with debug=True enabled. This configuration exposes the app to risks such as arbitrary code execution and inefficient handling of concurrent production traffic. The recommended solution is to disable debug mode and switch to a production-grade WSGI server like gunicorn or waitress for deployment.

[devprashant19]

@Userunknown84 I would like to work on this issue please assign me

[Userunknown84]

Project is in development phase that's why use app.run(host="0.0.0.0", port=FLASK_PORT, debug=True)