Craft CMS Development Mode enabled
Description
Craft CMS is running with development mode enabled, which is intended solely for local development environments and should never be active in production. Development mode automatically enables the Yii2 debug toolbar and detailed error reporting, exposing internal application details including database schema, configuration parameters, environment variables, request/response data, and application file paths. This configuration setting creates an information disclosure vulnerability that attackers can exploit to gather intelligence for more sophisticated attacks.
Remediation
Immediately disable development mode in all production and staging environments by modifying the Craft CMS configuration. Open the .env file in your Craft CMS root directory and ensure the following setting is configured:
CRAFT_ENVIRONMENT=production CRAFT_DEV_MODE=false
Alternatively, if using the
config/general.php file, ensure development mode is explicitly disabled:'devMode' => false,
After making these changes, clear the Craft CMS cache and verify that the debug toolbar is no longer accessible. Implement environment-specific configuration management to ensure development mode is only enabled in local development environments. Review your deployment process to prevent development configurations from being promoted to production.