I mean "This will also let the adversary root your Macbook, Rails developers, if e.g. localhost:3000 is running an unpatched Rails app."
One would think this is strictly less important than "root your server" but that hasn't been true for 100% of Rails developers that I've recently spoken to so, if losing your Macbook is the inducement you need to drop everything you are doing and patch, I will supply that inducement liberally.
My website gets a handful of single-page visits, referred from some real sketchy domains, every day. They are very regular and appear to be automated. I wonder if it's part of a broader scam to get website owners to visit sites which root their dev machine via 0-day browser or server vulnerabilities?
One would think this is strictly less important than "root your server" but that hasn't been true for 100% of Rails developers that I've recently spoken to so, if losing your Macbook is the inducement you need to drop everything you are doing and patch, I will supply that inducement liberally.