Affected versions of this package are vulnerable to Information Exposure. There is a possible information exposure / unintended method execution when using the
polymorphic_url helper with untrusted user input. This arises because
url_for supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls.
actionpack to version 18.104.22.168, 5.2.6, 22.214.171.124, 126.96.36.199 or higher.