They are talking about this issue

https://github.com/slime/slime/issues/286

If it has being left unaddressed because no one thinks it is enough of a problem. That is how free software works

That actually scares me enough to disable Swank on my laptop. Actually, to disable all localhost services that could by any stretch of the imagination execute code.

Tl;dr: web sites can send requests to localhost TCP sockets despite origin restrictions using a trick called DNS rebinding.

Yes, it certainly a gaping security hope. Yet I cant bring myself to submit a patch