保護DataHogo
Security Encyclopedia/Docker & Containers
lowCWE-16A05:2021

Unnecessary Exposed Ports

EXPOSE-ing ports your application doesn't actually use increases the attack surface without any benefit.

How It Works

EXPOSE in a Dockerfile documents that a container listens on a port. While it doesn't automatically publish ports to the host, it signals to orchestration tools like Kubernetes and Docker Compose that those ports are available. Exposing ports like 22 (SSH) or debug ports (9229) in production containers invites attack.

Vulnerable Code
# BAD: exposing SSH and debug ports that shouldn't be in production
FROM node:20-alpine
EXPOSE 3000
EXPOSE 22    # SSH — should never be in a production container
EXPOSE 9229  # Node.js debugger — dangerous in production
CMD ["node", "server.js"]
Secure Code
# GOOD: only expose the port your application actually serves
FROM node:20-alpine
EXPOSE 3000  # only the application port
CMD ["node", "server.js"]

Real-World Example

Misconfigured Kubernetes deployments exposing port 9229 (Node.js inspector) have been exploited in the wild. Attackers connect to the debug port and achieve full remote code execution by sending arbitrary JavaScript.

How to Prevent It

  • Only EXPOSE ports that your application actively listens on in production
  • Never expose port 22 (SSH), 9229 (Node debugger), or any database port (5432, 3306) in production images
  • Use network policies in Kubernetes to restrict which services can communicate on each port
  • Audit your docker-compose.yml and Kubernetes manifests for unnecessary port mappings

Affected Technologies

Docker

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Running as Root in Docker

medium

Containers that run as root give any code execution vulnerability immediate root access to the container — and potentially the host.

CWE-250A05:2021

Docker Latest Tag

low

Using FROM image:latest means a new pull can silently change your base image, breaking reproducibility and potentially introducing vulnerabilities.

CWE-1104A06:2021

Secrets in Dockerfile

critical

Secrets added via ENV, ARG, or COPY .env in a Dockerfile are baked into the image layers and readable by anyone who pulls the image.

CWE-540A02:2021

No Docker Health Check

low

Without a HEALTHCHECK instruction, Docker and orchestrators can't detect when your container is running but broken — routing traffic to a dead app.

CWE-778