stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-12T19:44:29.591Z

Updated: 2024-08-15T19:34:43.636Z

Reserved: 2024-03-04T14:19:14.060Z

Link: CVE-2024-28121

cve-icon Vulnrichment

Updated: 2024-08-02T00:48:49.423Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-12T20:15:08.313

Modified: 2024-11-21T09:05:51.707

Link: CVE-2024-28121

cve-icon Redhat

No data.