Here's a PR with what I suggest:
https://github.com/qos-ch/reload4j/pull/26

JdbcPatternParserTest shows how it parses the current pattern into
"text for the prepared statement" and "arguments for it" in JdbcPatternParserTest.

I believe it fixes the CVE, and it keeps the code compatible with previous usages.

Vladimir