Skip to content
PortsDB

Port reference

Port 5000 (TCP) – UPnP / common dev server

A heavily overloaded port used by UPnP control points, the Flask dev server, the Docker registry, and macOS AirPlay (Control Center).

tcpRegisteredCommonly attacked

Default state

Varies by service. Flask's dev server and the Docker registry bind here when run; on macOS, AirPlay Receiver listens on 5000. Often opened unintentionally during development.

Common attacks

  • Hitting an exposed Flask/Werkzeug debugger for remote code execution
  • Pushing or pulling images from an unauthenticated Docker registry
  • UPnP abuse to map ports or reach internal services (SSRF-style pivots)
  • Information disclosure from debug pages and verbose app errors

Hardening

  • Never run a development server (Flask/Werkzeug debug) in production
  • Bind dev and registry services to localhost, not 0.0.0.0
  • Require authentication and TLS on any exposed Docker registry
  • Disable UPnP on internet-facing gateways and segment IoT devices
  • Firewall 5000 and front production apps with a hardened reverse proxy

nmap snippet

nmap -p5000 --script http-title <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5000?

Port 5000 is heavily overloaded. It's a default for UPnP control points, the Flask/Werkzeug development server, the Docker registry, and — on modern macOS — the AirPlay Receiver (Control Center). What's actually listening depends entirely on the host, which is exactly why it's worth probing.

Why it matters for security

Several of these defaults are dangerous when exposed. A Flask app with the debugger on offers an interactive console — remote code execution — and dev servers leak stack traces. An unauthenticated Docker registry lets attackers pull private images or push tampered ones. UPnP can be abused to map ports or reach internal services.

How it's attacked

Attackers fingerprint 5000 with http-title and banner checks to tell a Flask debugger from a registry or AirPlay. Against a debug console they trigger an error and run arbitrary Python. Against an open registry they enumerate and pull/push images. Exposed UPnP is abused for port mapping and SSRF-style pivots into the internal network.

Hardening checklist

Never run a development server in production and keep the Werkzeug debugger off. Bind dev and registry services to localhost, not 0.0.0.0, and require authentication and TLS on any exposed Docker registry. Disable UPnP on internet-facing gateways and segment IoT devices. Firewall 5000 and front production apps with a hardened reverse proxy. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 5001Port 5443Port 8080Port 2375

Frequently asked questions

Why is port 5000 associated with so many services?
It's a popular default. UPnP control, the Flask/Werkzeug dev server, the Docker registry, and macOS AirPlay Receiver all use 5000, so what you find there depends entirely on the host.
What's the danger of an exposed Flask app on 5000?
If the Werkzeug debugger is enabled, an attacker can open an interactive console and execute arbitrary Python — full RCE. Development servers also leak stack traces and aren't built to withstand hostile traffic.