There is something fascinating about watching this "format string bug on steroids" unfold. It's the sort of bug young me would have dreamt about, and old me just feels bad for the folks that have to scramble now.
Conversation
Replying to
Did you see that it does string interpolation on the parameters too?
news.ycombinator.com/item?id=295063
It doesn't even require that the application passes an attacker controlled format string. Having a direct way of doing RCE from a URL is hilarious but it's quite awful without it too.