@v4 This is a risk with any application, and NodeBB is no exception. Think "zero-day exploits" and applications which accidentally let someone "break out" of the environment. It's obviously something we patch and code against, but finding them is often another matter 🙂
We maintain an email specifically for handling these issues: [email protected]. If you've located an exploit vector, email use privately there, and we'll get it fixed up!
But if that's the case, why are we asked during installation whether a port should be used for the connection or not. And if the answer is n, that answer is reflected in config.json, but the port is still used anyway.