All articles
Drizzle ORMDatabaseDeployment Security

Drizzle Kit Studio Exposed on Production: Silent Data Exfiltration

Drizzle Kit Studio Exposed on Production: Silent Data Exfiltration

Drizzle Studio is a developer admin UI for your database. If your deploy pipeline accidentally ships it to prod, any visitor can read — and edit — every row.

April 24, 2026VibeWShield Team1 min read

drizzle-kit studio runs a browser-based admin on port 4983 by default. On your laptop it's great. On a Fly.io machine with a wildcard domain, it's a catastrophe.

Detection

curl -sI https://your-app.com:4983/ | head -3
# HTTP/2 200
# x-drizzle-studio: v0.x

If you see this, your production database is browsable by any reader.

Root cause

Two common paths into prod:

  1. npm run dev accidentally in the Dockerfile's CMD.
  2. A separate "admin" deployment left behind after a migration.

Mitigation

  • Remove drizzle-kit from dependencies and keep it in devDependencies.
  • Block port 4983 at the load-balancer level. Fly.io's [services] config explicitly enumerates ports — if 4983 isn't there, it shouldn't be reachable.
  • Add "private": true to package.json and refuse to publish it.

VibeWShield checks the top 20 developer-admin ports on every scan — Drizzle Studio (4983), Prisma Studio (5555), Keystone (3001 with admin-meta headers), Strapi (1337), pgAdmin (5050). Any one of them responding publicly is a high-severity finding.

Free security scan

Test your app for these vulnerabilities

VibeWShield automatically scans for everything covered in this article and more — 18 security checks in under 3 minutes.

Scan your app free