An open redirect vulnerability is fixed in Rails 220.127.116.11 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.
The reference is obviously wrong, NVD even calls it "Not
Applicable". Will contact HackerOne.
Seems like the real advisory is here and is in ActionPack:
This rails slot does not have any stable versions.
Clean is now down.
Then all done, thanks!