Skip to content
PortsDB

Port reference

Port 5984 (TCP) – Apache CouchDB

Default port for the Apache CouchDB HTTP/REST API used to store and query JSON documents.

tcpRegisteredCommonly attacked

Default state

Older CouchDB ran in 'admin party' mode with no administrator and no authentication, and could bind to 0.0.0.0, so anyone reaching 5984 had full read/write/admin access.

Common attacks

  • Unauthenticated REST access ('admin party') to read, modify, or delete all databases
  • CVE-2017-12635 privilege escalation to gain admin via crafted role JSON
  • CVE-2017-12636 remote code execution via config/query server abuse
  • Ransom attacks that wipe databases and leave a payment note

CVE-2017-12635CVE-2017-12636

Hardening

  • Create an admin and disable admin party; require authentication
  • Bind to localhost or a private interface; never expose 5984 to the internet
  • Require TLS and firewall to trusted hosts only
  • Patch CouchDB and Erlang to fix CVE-2017-12635/12636
  • Restrict the config and query-server interfaces

nmap snippet

nmap -p5984 --script http-title <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5984?

Port 5984 is the default for the Apache CouchDB HTTP/REST API. CouchDB is a document database that stores JSON documents and exposes everything — data, configuration, and administration — through HTTP, so applications and admins interact with it entirely over 5984. CouchDB is built on Erlang/OTP.

Why it matters for security

Because CouchDB is administered over plain HTTP, exposure on 5984 is critical. Older versions ran in 'admin party' mode with no administrator and no authentication, granting full read/write/admin access to anyone who could reach the port. CouchDB also suffered CVE-2017-12635 (privilege escalation) and CVE-2017-12636 (remote code execution), which together turned an open instance into full host compromise.

How it's attacked

Attackers scan for open 5984 and, against admin-party instances, issue unauthenticated REST calls to dump, modify, or delete every database. On unpatched versions they chain CVE-2017-12635 to gain admin and CVE-2017-12636 to achieve remote code execution. Exposed CouchDB is also frequently wiped and ransomed, leaving a payment note in place of the data.

Hardening checklist

Create an administrator account to end admin party and require authentication. Bind CouchDB to localhost or a private interface, keep 5984 off the public internet, require TLS, and firewall to trusted hosts. Patch CouchDB and Erlang to fix CVE-2017-12635/12636, and restrict the config and query-server interfaces. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 6984Port 5986Port 9200Port 6379

Frequently asked questions

What is CouchDB 'admin party' mode?
By default older CouchDB had no admin user, so every client had full administrative rights over the HTTP API. Create an admin account immediately, require authentication, and bind to localhost.
How serious were CVE-2017-12635 and CVE-2017-12636?
Very. CVE-2017-12635 let an attacker escalate to admin via a crafted role document, and CVE-2017-12636 chained to remote code execution. Patch CouchDB and restrict access to port 5984.