From 5a22d8e0134e9f161071e5b67922be1576f8db16 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Fri, 30 Aug 2024 11:33:06 -0300
Subject: [PATCH] doc: add alert on REPL from TCP socket

PR-URL: https://github.com/nodejs/node/pull/54594
Refs: https://hackerone.com/reports/2684357
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
---
 doc/api/repl.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/doc/api/repl.md b/doc/api/repl.md
index 16378cca8abfc2..89d02ff7eeba60 100644
--- a/doc/api/repl.md
+++ b/doc/api/repl.md
@@ -774,6 +774,14 @@ a `net.Server` and `net.Socket` instance, see:
 For an example of running a REPL instance over [`curl(1)`][], see:
 <https://gist.github.com/TooTallNate/2053342>.
 
+This example is intended purely for educational purposes to demonstrate how
+Node.js REPLs can be started using different I/O streams.
+It should **not** be used in production environments or any context where security
+is a concern without additional protective measures.
+If you need to implement REPLs in a real-world application, consider alternative
+approaches that mitigate these risks, such as using secure input mechanisms and
+avoiding open network interfaces.
+
 [TTY keybindings]: readline.md#tty-keybindings
 [ZSH]: https://en.wikipedia.org/wiki/Z_shell
 [`'uncaughtException'`]: process.md#event-uncaughtexception