Port 5000 occupies a strange position in the Internet's port hierarchy: technically unassigned by IANA, yet claimed by some of the most widely used services in computing. If you've ever run a Flask application on macOS and received an "address already in use" error, you've encountered the consequences of this ambiguity.
This port has no RFC. No formal specification. No authoritative owner. And that's precisely what makes it interesting.
What Runs on Port 5000
Port 5000 serves multiple masters, none of whom coordinated with each other:
UPnP Event Notification (Historical): The original tenant. When Microsoft shipped Universal Plug and Play in Windows ME and XP, port 5000 TCP handled GENA (General Event Notification Architecture) subscriptions between devices.1 Your router telling your PC about network changes. Your media server announcing new content to your TV.
Flask Development Server: The Python web framework's default since its creation. When you run flask run without arguments, it binds to localhost:5000.2 Millions of developers have built their applications assuming this port would be available.
Synology DSM: Every Synology NAS uses port 5000 for its web-based management interface (HTTP) and port 5001 for HTTPS.3 This affects hundreds of thousands of home servers and small business storage systems.
Apple AirPlay Receiver: Starting with macOS Monterey in 2021, Apple's Control Center process listens on port 5000 to receive AirPlay streams from other devices.4 This single decision broke the development workflows of countless programmers.
Docker Registry: The default port for local Docker registries, adding yet another claimant to this crowded address.5
The UPnP Story
On January 7, 1999, at the Consumer Electronics Show in Las Vegas, Craig Mundie took the stage to announce Microsoft's vision for a connected home.6 The technology was called Universal Plug and Play, and it promised something radical: devices that could join a network and immediately discover each other without any configuration.
The team behind the core protocols included Yaron Goland, who led the design of SSDP (Simple Service Discovery Protocol) and authored the IETF drafts that defined how devices would find each other.7 The proposal, submitted jointly by Microsoft and Hewlett-Packard in October 1999, described a system where devices would announce their presence by multicasting to a specific address: 239.255.255.250:1900.8
But discovery was only half the problem. Devices also needed to notify each other about changes. When your media server added new photos, it needed to tell your digital picture frame. When your printer ran low on ink, it needed to alert your PC. This notification system, called GENA, originally used port 5000 for its subscriptions and event callbacks.9
The IETF draft expired in April 2000 without becoming a formal standard, but UPnP had already shipped in Windows ME. The protocol lived on through the UPnP Forum, formed in June 1999 by Microsoft, Intel, Sony, and other major technology companies.10
In Windows XP Service Pack 2, Microsoft moved the SSDP event notification service from port 5000 to port 2869, but the original port assignment persisted in documentation and older implementations for years.11
How UPnP Actually Works
UPnP operates through a carefully choreographed sequence:
Step 1: Addressing. A device joins the network and obtains an IP address via DHCP or Auto-IP.
Step 2: Discovery. The device announces itself by sending SSDP messages to the multicast address 239.255.255.250 on UDP port 1900. Other devices listening on this address learn about the newcomer. Devices can also send M-SEARCH queries to actively discover what's available.
Step 3: Description. Interested parties fetch XML documents describing the device's capabilities, typically via HTTP.
Step 4: Control. Devices exchange SOAP messages over HTTP to invoke actions. A control point might tell a media renderer to play a file, or instruct a router to forward a port.
Step 5: Eventing. Devices subscribe to state changes using GENA. When something important happens, the device publishes an event to all subscribers.
The elegant insight was building everything on existing web standards: HTTP, XML, SOAP. No new protocols to learn. No special hardware required. Any device that could speak HTTP could participate.12
The most consequential UPnP profile was the Internet Gateway Device (IGD), which allowed applications to request port mappings from NAT routers.13 This is how your game console opens ports for multiplayer, how your BitTorrent client accepts incoming connections, and how your video calling app punches through your firewall.
The Flask Default
When Armin Ronacher created Flask in 2010, he needed a default port for the development server. Port 5000 sat in the registered port range (1024-49151), high enough to avoid requiring root privileges, low enough to be memorable.14 It wasn't assigned to anything by IANA. It seemed like unclaimed territory.
Flask's development server, built on the Werkzeug WSGI toolkit, would bind to 127.0.0.1:5000 by default when you called app.run().15 Millions of tutorials were written assuming this port. Countless development environments were configured around it.
Then came macOS Monterey.
Apple's Quiet Claim
In fall 2021, Apple shipped macOS Monterey with a new feature: any Mac could now act as an AirPlay receiver. Your iPhone could stream video to your MacBook. Your iPad could mirror its screen to your iMac.
The feature was controlled by a system service that bound to port 5000.16
Developers discovered this through error messages. EADDRINUSE: address already in use 0.0.0.0:5000. Flask applications wouldn't start. Node.js servers failed to bind. The culprit was a process called ControlCenter that would respawn itself if killed.
The solution was straightforward but frustrating: navigate to System Settings, find AirDrop & Handoff, and disable AirPlay Receiver.17 Or change your development server's port to 5001 or 8000 or anything else.
Apple had claimed port 5000 for consumer convenience, breaking the workflows of professional developers who had assumed it would remain available.
Security: UPnP's Troubled History
The convenience of automatic port mapping came with a price. UPnP was designed for trusted home networks and implemented no authentication whatsoever.18 Any device, or any malware running on any device, could request port forwarding from your router.
In January 2013, researchers at Rapid7 published devastating findings: over 80 million devices on the public Internet responded to UPnP discovery requests. Between 40 and 50 million were vulnerable to at least one of three critical exploits. Over 23 million IPs could be compromised with a single UDP packet targeting the Portable UPnP SDK.19
The US Department of Homeland Security urged businesses to disable UPnP entirely.20
The vulnerabilities kept coming:
CVE-2014-8361: A command injection vulnerability in Realtek's SDK allowed attackers to execute arbitrary code through the UPnP SOAP interface.21
CVE-2020-12695 (CallStranger): Discovered by researcher Yunus Çadırcı, this vulnerability in billions of devices allowed data exfiltration, internal network scanning, and participation in DDoS attacks through the UPnP SUBSCRIBE function.22
UPnProxy and Eternal Silence: Akamai researchers found that attackers were using vulnerable UPnP implementations to create proxy networks, hiding their malicious traffic behind compromised home routers. Out of 3.5 million UPnP routers found online, 277,000 were vulnerable, and 45,113 were already infected.23
The Mirai botnet, which brought down much of the Internet in October 2016, prompted CISA to explicitly recommend disabling UPnP on all routers.24 Subsequent variants like Satori used UPnP vulnerabilities as an infection vector.25
The protocol designed to make home networking effortless had become a persistent security liability.
Checking Port 5000
To see what's using port 5000 on your system:
macOS/Linux:
Windows:
If you find ControlCenter or similar system processes on macOS, disable AirPlay Receiver in System Settings → General → AirDrop & Handoff.
For Synology NAS users, the DSM interface will be accessible at http://your-nas-ip:5000 by default. You can change this in Control Panel → Login Portal → DSM.26
The Lesson of Port 5000
Port 5000 tells a cautionary tale about the Internet's informal governance. Without formal IANA assignment, multiple parties independently decided this port number suited their needs. Microsoft chose it for UPnP events. Flask chose it for development convenience. Synology chose it for NAS management. Apple chose it for AirPlay streaming.
Each choice made sense in isolation. Together, they created a collision course that still affects developers today.
The port remains unassigned. The conflicts remain unresolved. And somewhere right now, a developer is staring at an "address already in use" error, wondering why their perfectly reasonable port choice isn't available.
Related Ports
- Port 1900: UPnP SSDP discovery via multicast
- Port 2869: Modern Windows SSDP event notification
- Port 5001: Synology DSM HTTPS, common Flask alternative
- Port 8000: Common alternative development server port
- Port 8080: HTTP alternate, another popular development choice
Frequently Asked Questions
Was this page helpful?