diff --git a/actionpack/lib/action_controller/routing.rb b/actionpack/lib/action_controller/routing.rb
index b02db375e9300..e0b9b8452fede 100644
--- a/actionpack/lib/action_controller/routing.rb
+++ b/actionpack/lib/action_controller/routing.rb
@@ -262,13 +262,23 @@ def traverse_to_controller(segments, start_at = 0)
           nil
         end
         
-        attr_accessor :controller_paths
-        
       protected
+        def safe_load_paths #:nodoc:
+          if defined?(RAILS_ROOT)
+            $LOAD_PATH.select do |base|
+              base = File.expand_path(base)
+              extended_root = File.expand_path(RAILS_ROOT)
+              # Exclude all paths that are not nested within app, lib, or components.
+              base.match(/\A#{Regexp.escape(extended_root)}\/*(app|lib|components)\/[a-z]/) || base =~ %r{rails-[\d.]+/builtin}
+            end
+          else
+            $LOAD_PATH
+          end
+        end
         
         def attempt_load(mod, const_name, path)
           has_dir = false
-          controller_paths.each do |load_path|
+          safe_load_paths.each do |load_path|
             full_path = File.join(load_path, path)
             file_path = full_path + '.rb'
             if File.file?(file_path) # Found a .rb file? Load it up
diff --git a/railties/lib/initializer.rb b/railties/lib/initializer.rb
index 4db54474819a3..eed5c16d9c6e7 100644
--- a/railties/lib/initializer.rb
+++ b/railties/lib/initializer.rb
@@ -236,7 +236,6 @@ def initialize_framework_views
     # loading module used to lazily load controllers (Configuration#controller_paths).
     def initialize_routing
       return unless configuration.frameworks.include?(:action_controller)
-      ActionController::Routing::ControllerComponent.controller_paths = configuration.controller_paths
       ActionController::Routing::Routes.reload
     end