@v4 This is a risk with any application, and NodeBB is no exception. Think "zero-day exploits" and applications which accidentally let someone "break out" of the environment. It's obviously something we patch and code against, but finding them is often another matter
We maintain an email specifically for handling these issues: email@example.com. If you've located an exploit vector, email use privately there, and we'll get it fixed up!
I suppose one could forego the config.json file completely and use environment variables to configure their NodeBB. The properties are the same.
url=http://localhost:4567 database=redis node app.js etc...