I reported a security vulnerability for Guile. I'm happy to say that a fix is out and you can read about it. If you remember me linking to this article, that's pretty much what it is.

But here's the real lesson: you can't really assume that localhost is localhost-only for private data or "secure" locally privileged anything. This has become more clear to me while working on ActivityPub and looking into other server processes which might also post to anything remote. We recommend against accessing localhost URIs in ActivityPub, but note that the above attack against Guile could also possibly apply to a server: using DNS tricks to convince a server to attack itself on localhost. All sorts of server and client software which may themselves send requests are probably vulnerable to this.

So the lesson: don't use localhost for local-only things. Use unix domain sockets or named pipes! Network architectures are just too complex these days...