nuclide is vulnerable to remote code execution (RCE). The vulnerability exists due to the lack of sanitization of hostname parameter for invalid character during hhvm-attach deep link handler request, allowing the malicious code to be entered via the parameter.