The Rest API spawned on port 5000 isn't validating the Host header , as such the server is vulnerable to DNS Rebinding attacks.

Impact :
By tricking users into visiting a website, it will be possible to perform all Rest Calls on behalf of user from the attackers website, bypassing the same origin policy using DNS rebind. Few actions that the attacker can perform are invoking/running functions, read stats etc. There is also a /debug API but currently not configured, attacker can also invoke debug and do stuff based on implementation of the debug functionality.