Rafael from Rails Core has amended this now, and the CVE isn't a...

https://ruby.social/users/Ryanbigg/statuses/112001730685665255