Rafael from Rails Core has amended this now, and the CVE isn't applicable to Rails 6.1. There'll be a grace period for Rails 6.1apps. see the issue for more details.