Dart Io Httpserver Insecure Bind
Description
This vulnerability detector identifies insecure HTTP server binding in Dart applications where servers are bound to all network interfaces (0.0.0.0 or ::), making them accessible from any network rather than just localhost. This creates unnecessary attack surface and potential security risks in production environments.
Detection Strategy
• Reports when a Dart HTTP server bind method is called with the first argument being an unsafe binding address
• Triggers specifically when the dart:io package is imported and HttpServer bind methods are used
• Flags instances where the binding address argument resolves to all interfaces (like 0.0.0.0 or ::) instead of localhost or specific interfaces
• Only activates when the code actually calls bind() methods from the imported HttpServer class with potentially dangerous network interface configurations
Vulnerable code example
import 'dart:io';
// VULNERABLE: HTTP server binds to all network interfaces (0.0.0.0)
Future<void> main() async {
await HttpServer.bind(InternetAddress.anyIPv4, 8080); // Exposes server to entire network
}✅ Secure code example
import 'dart:io';
// SAFE: HTTP server binds to loopback interface only
Future<void> main() async {
await HttpServer.bind(InternetAddress.loopbackIPv4, 8080); // Only accessible from localhost
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.