The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.
To avoid this vulnerability you will have to either remove all calls to create_with, or carefully audit your codebase to ensure it sanitizes the input first. For example you should replace code like this:
user.blog_posts.create_with(params[:blog_post].permit(:title, :body, :etc)).create