VYPR
High severityNVD Advisory· Published Mar 12, 2024· Updated Feb 13, 2025

Reflex arbitrary method call in stimulus_reflex

CVE-2024-28121

Description

stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: \"target\":\"[class_name]#[method_name]\",\"args\":[]. The server will proceed to instantiate reflex using the provided class_name as long as it extends StimulusReflex::Reflex. It then attempts to call method_name on the instance with the provided arguments. This is problematic as reflex.method method_name can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
stimulus_reflexRubyGems
>= 3.5.0.pre0, < 3.5.0.rc43.5.0.rc4
stimulus_reflexRubyGems
< 3.4.23.4.2
stimulus_reflexnpm
>= 3.5.0-pre0, < 3.5.0-rc43.5.0-rc4
stimulus_reflexnpm
< 3.4.23.4.2

Affected products

2

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.