Not sure if you're emphasizing "claims" because you find it dubious so perhaps it's worth noting that the statement is coming from someone who claims (heh) to be an engineer at CF rather than someone working in PR/marketing. In case that affects the reader's view of the statement.
I don't necessarily find it dubious. I emphasized because I have not verified personally that the exploit is closed nor would that even be feasible (for me or anyone outside CF). I also previously reported this issue to multiple people at CF, offered more information and it was seemingly ignored/buried until this project called them out.
Also, when reading through the thread I shared it doesn't seem like CF or the researchers recognized the extent of the initial problem when they initially classified as "edge case". My client who was targeted was small and insignificant which caused me to doubt this an "edge case". Just my speculation.
