Skip to content
PortsDB

Port reference

Port 3000 (TCP) – Dev Server / Grafana

Common dev-server port (Node.js, Create React App, Rails) and the default for Grafana. No single fixed service.

tcpRegisteredCommonly attacked

Default state

Open when a dev server or Grafana is running. Frequently plain HTTP and exposed to all interfaces by mistake.

Common attacks

  • Grafana path traversal / arbitrary file read (CVE-2021-43798)
  • Default or weak Grafana admin credentials (admin/admin)
  • Accidentally exposed Node/Rails dev servers with debug output
  • Cleartext interception of credentials and session tokens

CVE-2021-43798

Hardening

  • Patch Grafana to a fixed release (CVE-2021-43798 affected 8.0.0–8.3.0)
  • Change default admin credentials and enforce strong auth/MFA
  • Never expose dev servers or Grafana on 3000 directly to the internet
  • Bind to localhost and front with an authenticated TLS reverse proxy
  • Restrict by IP allowlist / VPN and disable framework debug mode

nmap snippet

nmap -p3000 --script http-title,http-headers,http-enum <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 3000?

Port 3000 is a popular development-server port — the default for many Node.js apps, Create React App, and Ruby on Rails — and the default web port for Grafana, the metrics and dashboard platform. There is no single fixed service on 3000, so always fingerprint the listener. It typically serves plain HTTP without TLS.

Why it matters for security

Both common occupants are risky when exposed. Grafana holds dashboards, data-source credentials, and API keys, and ships with a default admin/admin login. Dev servers for Node or Rails leak stack traces, source, and config in debug mode. Because 3000 is so commonly bound to all interfaces during development, it is frequently exposed to the internet by accident.

How it's attacked

The standout exploit is CVE-2021-43798, a Grafana path traversal in 8.0.0–8.3.0 that let unauthenticated attackers read arbitrary files — including grafana.ini and secrets — over 3000. Attackers also try default credentials, brute-force the login, trigger dev-server debug output for secrets, and intercept cleartext tokens.

Hardening checklist

Patch Grafana (CVE-2021-43798 affected 8.0.0–8.3.0) and change the default admin login, enforcing strong auth and MFA. Never expose a dev server or Grafana on 3000 directly — bind to 127.0.0.1 and front it with an authenticated TLS reverse proxy. Restrict by IP allowlist or VPN and disable framework debug mode. The nmap snippet checks title, headers, and common paths on systems you are authorized to test.

Related ports

Port 80Port 443Port 8080Port 9090

Frequently asked questions

What is port 3000 used for?
It is a common development-server port (Node.js, Create React App, Ruby on Rails) and the default for Grafana. There is no single fixed service, so fingerprint what is actually listening before drawing conclusions.
What is CVE-2021-43798 on port 3000?
A path-traversal flaw in Grafana 8.0.0–8.3.0 let an unauthenticated attacker read arbitrary files (including grafana.ini and secrets) via plugin URLs on port 3000. Patch Grafana and never expose it directly to the internet.