Rule Information
Tags
pythonsocketbindall-interfacesnetwork-exposureCWE-668OWASP-A05
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-070 --project .1
2
3
4
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
About This Rule
Understanding the vulnerability and how it is detected
Binding a socket to 0.0.0.0 (or "::" for IPv6) causes the service to listen on all available network interfaces simultaneously, including loopback (localhost), private LAN, and public internet interfaces. This exposes internal services to the public internet when the host has a public IP address.
In production environments, services should bind to specific interfaces: localhost (127.0.0.1) for local-only services, the internal network interface IP for intranet services, or the load balancer's internal interface for web services fronted by a reverse proxy.
Binding to 0.0.0.0 is common during development and often left unchanged in production. This can expose debug endpoints, admin interfaces, internal APIs, and development servers to the public internet.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Accidental Public Exposure of Internal Services
Services bound to 0.0.0.0 on a host with a public IP are accessible from the internet. Development servers, debug endpoints, admin interfaces, and internal APIs accidentally exposed this way have been a common source of data breaches.
2
Bypass of Network Security Controls
Services intended to be accessed only from internal networks or through a load balancer can be directly accessed by external clients when bound to 0.0.0.0, bypassing firewall rules, WAFs, authentication layers, and rate limiting applied at the load balancer.
3
Service Discovery and Fingerprinting
Publicly accessible services reveal information about the server's technology stack, version, and configuration through banner grabbing, error messages, and protocol fingerprinting, enabling targeted attacks.
4
Debug Endpoint Exposure
Development services like Flask's built-in server, Jupyter notebooks, and debug consoles commonly bind to 0.0.0.0 by default. Deploying these in production exposes interactive Python execution environments to the internet.
How to Fix
Recommended remediation steps
- 1Bind services to specific interfaces (127.0.0.1 for local-only, the load balancer or proxy interface for proxied services) rather than 0.0.0.0.
- 2Configure the bind address from environment variables or deployment configuration rather than hardcoding 0.0.0.0.
- 3Use firewall rules (iptables, security groups) as an additional layer of protection even when binding to specific interfaces.
- 4For containerized deployments, publish only the necessary ports and use Docker's -p flag to bind to specific host interfaces.
- 5Audit all listening services with netstat or ss to verify no unintended services are exposed on public interfaces.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects socket.bind() calls where the first element of the address tuple is "0.0.0.0" or "::" (all interfaces). The rule flags these for review to ensure the all-interfaces binding is intentional and protected by appropriate network controls.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A05:2021 - Security Misconfiguration
NIST SP 800-53
SC-7: Boundary Protection - restrict inbound and outbound traffic
PCI DSS v4.0
Requirement 1.3.2 - Restrict inbound traffic to only that needed
CIS Benchmark
Network services should bind to specific interfaces, not all interfaces
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Paramiko Implicit Host Key Trust (AutoAddPolicy)
paramiko.AutoAddPolicy() and WarningPolicy() automatically accept unknown SSH host keys, enabling man-in-the-middle attacks on SSH connections.
MEDIUM
Paramiko exec_command() Usage
paramiko exec_command() runs commands on a remote host. Audit that command arguments are not derived from untrusted input to prevent command injection.
MEDIUM
multiprocessing Connection.recv() Usage
multiprocessing.Connection.recv() uses pickle internally and is not safe for receiving data from untrusted connections.
Frequently Asked Questions
Common questions about Socket Bound to All Interfaces (0.0.0.0)
Not always. In containerized environments where the container's network namespace
is isolated, binding to 0.0.0.0 within the container only exposes to published
ports. Load balancers and reverse proxies may need to bind to 0.0.0.0 by design.
The concern is when services with no authentication or services intended to be
internal are accidentally exposed to external networks.
The Python application server (gunicorn, uvicorn) should bind to 127.0.0.1 (localhost)
since nginx communicates with it on the same host. nginx then binds to 0.0.0.0:80
and 0.0.0.0:443 to accept external connections. This way, the application server
is only reachable through nginx, not directly from the internet.
In Docker, binding to 0.0.0.0 inside the container listens on the container's network
namespace, not the host. The container's ports are only accessible from outside if
explicitly published with -p hostport:containerport. Without -p, the service is
isolated to the Docker network. This reduces (but doesn't eliminate) the risk.
The IPv6 all-interfaces address is :: (double colon). On systems with IPv6 and
IPV6_V6ONLY=0, binding to :: may also listen on IPv4 via IPv4-mapped IPv6 addresses.
The rule detects both 0.0.0.0 (IPv4) and :: (IPv6) bindings for all-interface exposure.
Development servers (Flask debug mode, Jupyter, etc.) sometimes bind to 0.0.0.0 to
allow access from other devices on the development network. This is acceptable in
private development environments but should never be deployed to production or any
network with untrusted hosts. Use environment-specific configuration to control the
bind address.
Use ss -tlnp (for TCP) or ss -ulnp (for UDP) to list all listening sockets with
their bind addresses and the process IDs. Alternatively, netstat -tlnp on systems
without ss. Look for 0.0.0.0:port or :::port entries and verify each is intentional.
New feature
Get these findings posted directly on your GitHub pull requests
The Socket Bound to All Interfaces (0.0.0.0) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.