This dashboard is designed for local single-user use. It binds to 127.0.0.1 by default for that reason. It can:

• Spawn arbitrary processes via PM2.
• Run docker commands (including docker run).
• Read/write secrets in your OS keychain via docker mcp secret.
• Write to a local JSON file in data/.

If exposed to a network or used by an untrusted user with browser access, all of those become attack surface. Do not expose this dashboard to the internet.

If you find a security issue, please do not open a public GitHub issue. Instead:

• Email withnazmul@gmail.com with the subject line node-server-dashboard security.
• Include reproduction steps, affected files, and a suggested fix if you have one.

We aim to:

• Acknowledge within 5 business days.
• Provide a timeline for the fix within 14 days.
• Credit reporters in the changelog (unless you prefer to remain anonymous).

In scope:

• Command injection in any CLI wrapper (pm2, docker, taskkill, …).
• Path traversal in static file serving.
• Unsafe parsing of CLI output that could lead to RCE.
• Secret leakage to logs / response bodies / stdout.

Out of scope:

• Issues that require exposing the dashboard to the public internet (this is explicitly unsupported).
• Vulnerabilities in upstream tools (pm2, docker, docker mcp) — please report those upstream.
• Browser cross-site issues when running on 0.0.0.0 (we don't recommend that configuration).

• Keep HOST=127.0.0.1 (the default).
• Use a different port (PORT=...) if 9615 conflicts.
• Don't run the dashboard as root / Administrator unless you need PM2 to manage system services.
• Treat the data/ JSON files as configuration — back them up if you have valuable manual clients or custom catalog entries.

Thanks for helping keep the project safe.