CME-205

Service Binding to Localhost

Isolate Network High Confidence

Description

Configures services to listen only on 127.0.0.1/::1, eliminating remote network attack vector entirely. Remote access must go through a reverse proxy or tunnel.

CVSS Vector Impacts

Metric Transition Rationale
Attack Vector (AV) N L Service not reachable from network; requires local access

CWE Relationships

CWE-284 CWE-668

Verification

Check service listen address is localhost only

$ ss -tlnp | grep ':8080'
# Expected: 127.0.0.1:8080
Platform: linux
← CME-204: IPsec / WireGuard (Encrypted Transport) CME-206: Network Policy (Kubernetes) →