[pierrem15]

Not clear to me what this can do. The string literal is read and has BiDi control characters. Will it just change the direction of how the characters are displayed in the browser or other software? Does the BiDi code keep reading until it finds another control character, thus causing a buffer read overrun enabling a buffer exploit?

[E. Pluribus Unum]

Not clear to me what this can do.

That may be deliberate so black hats will have to figure it out.

[ShadowAce]

As E. Pluribus Unum pointed out, the description was not exactly clear. This is probably done on purpose. :)

But the scary part is it doesn't really matter what OS or software you use--it can be inserted everywhere as this is a sourcecode-level exploit that the compilers do not catch.

[pas]

Not too concerned about it. They have to get it into your code. If someone got to my codebase, there would be more issues than them putting something like this into it.

[mbj]

I wonder if it has to do with programming languages that allow pragmas/commands within comments, perhaps like the shebang directives in bash?

https://bash.cyberciti.biz/guide/Shebang

ANY time data (or code comments) have a chance of changing context into code execution, you have a potential security vulnerability.