"Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.

 

All users running an affected release should either upgrade or use one of the work arounds immediately.

 

Impacted code passes user provided data to a dynamic finder like this:

 

Post.find_by_id(params[:id])"