This app is not listening on 127.0.0.1 — it binds to all interfaces (and on both IPv4 and IPv6 too), and the parent's comment is completely valid. Anyone who can get a UDP packet to your machine can control this.
(The `nc` command in the example is directed at localhost, but that doesn't imply that the app is bound to localhost only, just that it's bound to at least that.)
Unix sockets are a better fit for this sort of thing, as they can be by default restricted to your user, and optionally opened up to others. (i.e., Unix sockets are authenticated) You can always do both (implement Unix sockets and Internet sockets).
Even binding to localhost in general is not completely safe, if a webpage or other apps can be fooled into making the right request. (I think UDP is safe here, but who knows.)
