security problem in debug mode

[magicode]

• v6.2.2:
• x86_64 GNU/Linux:
• Ubuntu 14.04.2 LTS:

I found a security problem that can be severe in debug mode

i run app in my server with --debug flag

node --debug app.js

check tcp listen

lsof -p <pid> -P 

and i see this line

node    13721 root   14u  IPv6 2273468957      0t0        TCP *:5858 (LISTEN)

i check it by curl from other server, like this. (i change my ipv6 address)

curl -g -6 http://[2a00:1450:4007:808::200e]:5858/

and i get this

Type: connect
V8-Version: 5.0.71.52
Protocol-Version: 1
Embedding-Host: node v6.2.2
Content-Length: 0

[bnoordhuis]

That is a known issue, see #3306 (comment), and will probably change again some day. Perhaps we can still do this for v7.

We can't do that in release branches because it would be backwards incompatible but you can force it to bind to a local address with --debug=127.0.0.1:5353.

[magicode]

In previous versions node force use loopback
developers can not know this change to listen to anything.
i developer 4 years in node and I was surprised from that.