Well… strictly speaking it's not a vulnerability in that you aren't inherently unsafe just because you use rails.

It is a bug in that it's a usability issue; maybe it should be turned on by default, much like the auto escaping to prevent XSS that came in rails 3.