The vulnerability was introduced in version 1.63 and fixed in 1.64. Since we do not ship version 1.63 in any codestream we are not affected by this bug.