From 0e96379fe0084240558242401d78f838648970f2 Mon Sep 17 00:00:00 2001
From: Chubiyojo Adejoh <chubixax@protonmail.com>
Date: Fri, 4 Apr 2025 15:53:15 +0100
Subject: [PATCH 1/2] Update services.md

Explicitly state the dangers if a port mapping binds to all interfaces
---
 content/reference/compose-file/services.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/content/reference/compose-file/services.md b/content/reference/compose-file/services.md
index 873105e0d9c1..7fcac94b2c31 100644
--- a/content/reference/compose-file/services.md
+++ b/content/reference/compose-file/services.md
@@ -1572,6 +1572,11 @@ in the form:
 - `CONTAINER` is `port | range`.
 - `PROTOCOL` restricts ports to a specified protocol either `tcp` or `udp`(optional). Default is `tcp`.
 
+>[!CAUTION]
+>
+>If you do not specify an IP address (such as 127.0.0.1) and it binds to all interfaces then any machine on the same network could
+>potentially have access to the container. This could be especially dangerous if the container is exposed to the internet.
+
 Ports can be either a single value or a range. `HOST` and `CONTAINER` must use equivalent ranges. 
 
 You can either specify both ports (`HOST:CONTAINER`), or just the container port. In the latter case,
@@ -1580,6 +1585,8 @@ the container runtime automatically allocates any unassigned port of the host.
 `HOST:CONTAINER` should always be specified as a (quoted) string, to avoid conflicts
 with [YAML base-60 float](https://yaml.org/type/float.html).
 
+
+
 IPv6 addresses can be enclosed in square brackets.
 
 Examples:

From a3c991680b6eb8364dbfc50917d009b50377ad30 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Thu, 9 Apr 2026 10:29:19 +0100
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
---
 content/reference/compose-file/services.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/content/reference/compose-file/services.md b/content/reference/compose-file/services.md
index 000b3b98183d..98acc13cc151 100644
--- a/content/reference/compose-file/services.md
+++ b/content/reference/compose-file/services.md
@@ -1629,10 +1629,9 @@ in the form:
 - `CONTAINER` is `port | range`.
 - `PROTOCOL` restricts ports to a specified protocol either `tcp` or `udp`(optional). Default is `tcp`.
 
->[!CAUTION]
+> [!WARNING]
 >
->If you do not specify an IP address (such as 127.0.0.1) and it binds to all interfaces then any machine on the same network could
->potentially have access to the container. This could be especially dangerous if the container is exposed to the internet.
+> If you do not specify a host IP (such as `127.0.0.1`), Docker binds to all interfaces (`0.0.0.0`), bypassing host firewall rules. This can expose the container directly to the internet if the host has a public IP address. For more information, see [Port publishing and mapping](/manuals/engine/network/port-publishing.md).
 
 Ports can be either a single value or a range. `HOST` and `CONTAINER` must use equivalent ranges.