The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].
I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.
Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:
Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org
I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.
ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?
What is the actual issue? CVE number?