The vulnerability stemmed from Rails' class_attribute macro defaulting to enabling instance-level writers. This allowed attackers to override class-level configurations (like validators, serialization settings, enum mappings, and callbacks) via crafted instance parameters. The patches explicitly set instance_writer: false on these class attributes, confirming these were the vulnerable points. The files/modules modified in the provided patches (JSON serializers, validations, enums, reflection, and callbacks) all contained class_attribute declarations without instance_writer restrictions in vulnerable versions.