The webconsole gem which ships with the Rails development server allows remote code execution via DNS Rebinding. I reported this issue to Rails on April 20th 2015. However, it may have been reported to them earlier because Homakov also found the issue independently and tweeted about it here: There are lots of dangerous interactions with localhost: I tweeted that with DNS rebinding we can RCE via R
{{#tags}}- {{label}}
{{/tags}}