The remote code execution attacks occurred because any component provided the code functionality, and the components were running on the local machine rather than in a sandbox.
Proof of Concept:
First, create a flow, then drag any component down, and then click on the code section in the image below to edit the code.
You can verify this by entering any code in the "Code" field:
evil="__import__(\\"os\\").system(\\"ls\\")"
Hack = eval(evil)
The result is as follows: