stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-03-12T19:44:29.591Z
Updated: 2024-08-15T19:34:43.636Z
Reserved: 2024-03-04T14:19:14.060Z
Link: CVE-2024-28121
Vulnrichment
Updated: 2024-08-02T00:48:49.423Z
NVD
Status : Awaiting Analysis
Published: 2024-03-12T20:15:08.313
Modified: 2024-11-21T09:05:51.707
Link: CVE-2024-28121
Redhat
No data.