By design, internal ports that are publicly exposed (as :8080 is for a scaled web app) have an exception to allow other gears access; this could not be otherwise under the current port routing scheme and static firewall, as other gears in the same app colocated on the same node may need to access each other, and the external ports are translated into internal IP/port by the DNAT. However, this does not expose anything that isn't already publicly exposed (externally on the node host). It's admittedly surprising but there's no good way around it. If it were found that non-exposed internal ip:port could also be connected to this way, then this would be a vulnerability. From the description I don't see it. Propose NOTABUG -- unless there is actual exposure?