Arbitrary method invocation turbo_boost-commands
Description
TurboBoost Commands fails to properly guard against arbitrary method invocation, allowing a sophisticated attacker to call potentially dangerous public methods.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TurboBoost Commands fails to properly guard against arbitrary method invocation, allowing a sophisticated attacker to call potentially dangerous public methods.
Vulnerability
Details The vulnerability in turbo_boost-commands (a library for building reactive Rails/Hotwire applications) arises from insufficient validation of which methods can be invoked. While the library checks that a method is public and belongs to a Command class, this check is not robust enough to prevent an attacker from calling methods that should be restricted [1][2]. The security issue is categorized as an improper enforcement of intended method access, potentially leading to unauthorized code execution [4].
Exploitation
An attacker with the ability to craft requests to a TurboBoost endpoint can invoke arbitrary public methods on Command classes. The existing guard only verifies that the method is defined as a public method and that the class is a Command, but does not restrict which specific public methods are allowable. A sophisticated attacker could leverage this to call methods that were not intended to be exposed via the command interface [2][4]. The attack requires network access to the application and an understanding of the command invocation mechanism.
Impact
Successful exploitation could allow the attacker to execute methods that have security implications, such as those that modify state, access sensitive data, or trigger side effects. The exact impact depends on which public methods exist in the application's Command classes and the overall security posture of the application [1][4]. The vulnerability has been addressed in versions 0.1.3 and 0.2.2, with advice for users on older versions to apply a workaround guard [2][4].
Mitigation
Users are strongly advised to upgrade to version 0.1.3 or 0.2.2 of the turbo_boost-commands gem. For those unable to upgrade, a workaround is available by adding a before_command guard that verifies the method is defined on an allowed ancestor of the Command class [4]. No known exploitation in the wild has been reported as of the publication date.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
turbo_boost-commandsRubyGems | < 0.1.3 | 0.1.3 |
turbo_boost-commandsRubyGems | >= 0.2.0, < 0.2.2 | 0.2.2 |
@turbo-boost/commandsnpm | < 0.1.3 | 0.1.3 |
@turbo-boost/commandsnpm | >= 0.2.0, < 0.2.2 | 0.2.2 |
Affected products
3- ghsa-coords2 versions
< 0.1.3+ 1 more
- (no CPE)range: < 0.1.3
- (no CPE)range: < 0.1.3
- Range: < 0.1.3
Patches
288af4fc0ac39Merge pull request from GHSA-mp76-7w5v-pr75
1 file changed · +2 −1
lib/turbo_boost/commands/runner.rb+2 −1 modified@@ -40,7 +40,8 @@ def command_valid? end # validate method - unless command_instance.respond_to?(command_method_name) + ancestors = command_class.ancestors[0..command_class.ancestors.index(TurboBoost::Commands::Command) - 1] + unless ancestors.any? { |a| a.public_instance_methods(false).any? command_method_name.to_sym } raise TurboBoost::Commands::InvalidMethodError, "`#{command_class_name}` does not define the public method `#{command_method_name}`!" end
337cda7d9222Merge pull request from GHSA-mp76-7w5v-pr75
1 file changed · +2 −1
lib/turbo_boost/commands/runner.rb+2 −1 modified@@ -38,7 +38,8 @@ def command_valid? end # validate method - unless command_instance.respond_to?(command_method_name) + ancestors = command_class.ancestors[0..command_class.ancestors.index(TurboBoost::Commands::Command) - 1] + unless ancestors.any? { |a| a.public_instance_methods(false).any? command_method_name.to_sym } raise TurboBoost::Commands::InvalidMethodError, "`#{command_class_name}` does not define the public method `#{command_method_name}`!" end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mp76-7w5v-pr75ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28181ghsaADVISORY
- github.com/hopsoft/turbo_boost-commands/commit/337cda7d9222f1f449905454a7374222017a7477ghsaWEB
- github.com/hopsoft/turbo_boost-commands/commit/88af4fc0ac39cc1799d16c49fab52f6dfbcec9baghsax_refsource_MISCWEB
- github.com/hopsoft/turbo_boost-commands/security/advisories/GHSA-mp76-7w5v-pr75ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/turbo_boost-commands/CVE-2024-28181.ymlghsaWEB
News mentions
0No linked articles in our index yet.