CVE-2024-36105 | dbt allows Binding to an Unrestricted IP Address via socketsocket

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: `''` represents `INADDR_ANY`, equivalent to `"0.0.0.0"`. On systems with IPv6, '' represents `IN6ADDR_ANY`, which is equivalent to `"::"`. A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in `dbt docs serve`.

Published: 2024-05-27 Last update: 2026-04-15 Assigner: [email protected] Source: [email protected]

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2024-36105 is rated Low Risk (38.6/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.71%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-36105

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.27%	0.71%	+0.45%
2	2026-02-20	0.20%	0.27%	+0.06%
3	2026-02-07	—	0.20%	—

Full EPSS history (10 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-36105

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.3	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	3.9	1.4	[email protected]

Weakness enumeration for CVE-2024-36105

CWE-1327 MITRE ↗

GitHub Security Advisory for CVE-2024-36105

GHSA-pmrx-695r-4349 · Severity: medium · Ecosystem: pip — dbt allows Binding to an Unrestricted IP Address via socketsocket

Affected software / configurations for CVE-2024-36105

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2024-36105

URL	Tags
https://cwe.mitre.org/data/definitions/1327.html
https://docs.python.org/3/library/socket.html#socket-families
https://docs.securesauce.dev/rules/PY030
https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39
https://github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7
https://github.com/dbt-labs/dbt-core/issues/10209
https://github.com/dbt-labs/dbt-core/pull/10208
https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15
https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15
https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1
https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349

cvelogic Threat Intelligence