ASP.NET Core Development Mode enabled - Vulnerability Database

ASP.NET Core Development Mode enabled

Description

The ASP.NET Core application is configured to run in development mode in a production environment. Development mode enables detailed error pages, diagnostic information, and debugging features that expose internal application details such as stack traces, source code snippets, environment variables, and configuration settings. This mode is intended exclusively for local development and should never be enabled in production deployments.

Remediation

Configure the application to run in production mode by setting the ASPNETCORE_ENVIRONMENT variable to 'Production'. Remove or modify any code that explicitly enables development mode.

For hosting environments, set the environment variable:

ASPNETCORE_ENVIRONMENT=Production

In Program.cs or Startup.cs, ensure the development exception page is only enabled for development environments:

if (app.Environment.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
}
else
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

Verify the configuration by checking that custom error pages are displayed instead of detailed exception information when errors occur in production.

References

Use multiple environments in ASP.NET Core

Related Vulnerabilities

Severity

Medium

Classification

CWE-200

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N