Possible unsafe reflection / partial denial of service in avo
Description
Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit ec117882d which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
avoRubyGems | < 2.33.3 | 2.33.3 |
avoRubyGems | >= 3.0.0.pre1, <= 3.0.0.pre12 | — |
Affected products
1Patches
1ec117882ddb1Merge pull request from GHSA-86h2-2g4g-29qx
1 file changed · +10 −2
lib/avo/fields/belongs_to_field.rb+10 −2 modified@@ -199,11 +199,13 @@ def to_permitted_param def fill_field(model, key, value, params) return model unless model.methods.include? key.to_sym + valid_model_class = valid_polymorphic_class params["#{polymorphic_as}_type"] + if polymorphic_as.present? - model.send("#{polymorphic_as}_type=", params["#{polymorphic_as}_type"]) + model.send("#{polymorphic_as}_type=", valid_model_class) # If the type is blank, reset the id too. - if params["#{polymorphic_as}_type"].blank? + if valid_model_class.blank? model.send("#{polymorphic_as}_id=", nil) else model.send("#{polymorphic_as}_id=", params["#{polymorphic_as}_id"]) @@ -215,6 +217,12 @@ def fill_field(model, key, value, params) model end + def valid_polymorphic_class(possible_class) + types.find do |type| + type.to_s == possible_class.to_s + end + end + def database_id # If the field is a polymorphic value, return the polymorphic_type as key and pre-fill the _id in fill_field. return "#{polymorphic_as}_type" if polymorphic_as.present?
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-86h2-2g4g-29qxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34102ghsaADVISORY
- github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17ghsax_refsource_MISCWEB
- github.com/avo-hq/avo/releases/tag/v2.33.3ghsaWEB
- github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qxghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2023-34102.ymlghsaWEB
News mentions
0No linked articles in our index yet.