CVE-2024-28121
March 12, 2024
stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: "\"target\":\"[class_name]#[method_name]\",\"args\":[]". The server will proceed to instantiate "reflex" using the provided "class_name" as long as it extends "StimulusReflex::Reflex". It then attempts to call "method_name" on the instance with the provided arguments. This is problematic as "reflex.method method_name" can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.
Affected Packages
stimulus_reflex (NPM):
Affected version(s) >=0.3.4 <3.4.2Fix Suggestion:
Update to version 3.4.2stimulus_reflex (RUBY):
Affected version(s) >=0.1.0 <3.4.2Fix Suggestion:
Update to version 3.4.2Related ResourcesĀ (10)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
EPSS
Base Score:
1.40
