# COMPOSE-SEC-007: Using Host Network Mode

> **Severity:** HIGH | **CWE:** CWE-250

- **Language:** Docker Compose
- **Category:** Security
- **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-007
- **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-007 --project .`

## Description

This rule detects services using `network_mode: host`, which disables network
isolation and makes the container share the host's network stack. This bypasses
Docker's network isolation, exposes all host network interfaces to the container,
and allows the container to bind to any host port.

## Vulnerable Code

```python
services:
  app:
    image: myapp
    network_mode: host  # DANGEROUS - No network isolation
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import compose_rule
from rules.container_matchers import service_has


@compose_rule(
    id="COMPOSE-SEC-007",
    name="Using Host Network Mode",
    severity="HIGH",
    cwe="CWE-250",
    category="security",
    tags="docker-compose,compose,network,host-network,security,isolation,networking,namespace,privilege-escalation",
    message="Service uses host network mode. Container shares host network stack, bypassing network isolation."
)
def host_network_mode():
    """
    Detects services using host network mode.

    Host network mode disables network namespace isolation, allowing
    the container to access all host network interfaces and localhost
    services, significantly increasing attack surface.
    """
    return service_has(
        key="network_mode",
        equals="host"
    )
```

## How to Fix

- Review your Dockerfile to address the using host network mode issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## Security Implications

- **Service Exposure:** All container services exposed on host IP
- **Network Sniffing:** Container can capture all host network traffic
- **Localhost Access:** Can access services on host's 127.0.0.1
- **No Firewall Protection:** Bypasses Docker's iptables rules

## FAQ

**Q: Why does this rule flag using host network mode?**

Service uses host network mode. Container shares host network stack, bypassing network isolation.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html)
- [Docker Network Drivers Documentation](https://docs.docker.com/network/drivers/)
- [CIS Docker Benchmark: Section 5.10](https://www.cisecurity.org/benchmark/docker)

---

Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-007
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis