Running a Flask application with debug mode enabled may allow an attacker to gain access through the Werkzeug debugger.

Ensure that Flask applications that are run in a production environment have debugging disabled.

Running the following code starts a Flask webserver that has debugging enabled. By visiting /crash, it is possible to gain access to the debugger, and run arbitrary code through the interactive debugger.

Flask Quickstart Documentation: Debug Mode.

Werkzeug Documentation: Debugging Applications.