> I'm also north of 90% probable that I could weaponize it to turn any image tag on the Internet into "roots your local machine"

Definitely not saying you're wrong, but I'm not convinced this is doable. Every exploit I've seen requires a request body -- how would you do that with an IMG tag?

Go on a Rails security safari, armed with the knowledge that any YAML parsing is victory, and pay very careful attention to code paths involving Rails/Rack route/parameter processing, especially anything which smells of magic. To clarify: I haven't actually done the work yet.

I'm actually going on a Rails security safari later, though not particularly looking to widen this/these vulnerabilities. I figure I've gotten enough out of the community over the years to contribute part of a workweek and get one more hole plugged.

Not unless nginx/apache routes the request directly to public/. There will definitely be more code-paths to YAML.load, but so far ActionDispatch::Http::Parameters has been the entry point.

I think you mean roots some webserver machine, not the local machine running the browser?

I mean "This will also let the adversary root your Macbook, Rails developers, if e.g. localhost:3000 is running an unpatched Rails app."

One would think this is strictly less important than "root your server" but that hasn't been true for 100% of Rails developers that I've recently spoken to so, if losing your Macbook is the inducement you need to drop everything you are doing and patch, I will supply that inducement liberally.

My website gets a handful of single-page visits, referred from some real sketchy domains, every day. They are very regular and appear to be automated. I wonder if it's part of a broader scam to get website owners to visit sites which root their dev machine via 0-day browser or server vulnerabilities?

oh, yeah, that too. :)

Bonus points if you exfiltrate config/initializers/secret_token.rb.