railties is vulnerable to remote code execution. A remote attacker is able to guess the automatically generated secret token when Rails is in development mode. This token can subsequently be used in combination with other Rails internals to execute arbitrary code.
packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html
github.com/rubysec/ruby-advisory-db/pull/380/files
groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
lists.fedoraproject.org/archives/list/[email protected]/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
www.exploit-db.com/exploits/46785/