New Relic: Disclosure of locally served nerdpacks due to nr-local.net CORS policy misconfiguration

Hey team, I've discovered that webserver which serves NR1 nerdpacks locally after nr1 nerdpack:serve is executed allows cross-origin requests from every subdomain of nr-ext.net. Since the nr-ext.net domain is used as a sandbox for user-supplied apps, an attacker can place there a malicious code...