Localhost dangers: CORS and DNS rebinding

The GitHub Security Lab post explains how improper CORS configuration and DNS rebinding can enable attackers to perform privileged actions or achieve remote code execution. It reviews insecure validation patterns (startsWith/endsWith/Contains), demonstrates real-world vulnerable projects (Cognita, Tamagui) including an exploit chain that uses arbitrary file write plus uvicorn --reload to achieve RCE, and recommends defensive measures such as exact origin matching, host header checks, and proper authentication.