The thing everyone's been passing around this fortnight is httpoxy, disclosed back on 18 July. The short version: a client sends a Proxy: HTTP header, CGI and friends dutifully map it to the HTTP_PROXY environment variable, and various HTTP libraries read HTTP_PROXY to decide where to route outbound requests. So your application can be tricked into proxying its own server-side calls through whatever the attacker fancies.
What I like, in a grim way, is that this isn't a clever new exploit. It's a namespace collision between a request header and an environment variable that has apparently been sitting there since the CGI era. People reported pieces of it years ago. It just took someone naming it and writing it up nicely for everyone to suddenly care.
I checked our stuff. We don't run much CGI, but "not much" is not "none", and the language runtimes that honour HTTP_PROXY are exactly the ones we use for outbound calls. The mitigation is mercifully dull: strip the Proxy header at the edge before it ever reaches an application. A few lines in the front-end config and you're done.
The lesson I keep relearning is that the worst bugs aren't sophisticated. They're two reasonable design decisions, made decades apart by people who never met, quietly agreeing to share a name.