stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| stimulus_reflex(RubyGems) | 3.5.0.pre0 | 3.5.0.rc4 | N/A |
| stimulus_reflex(RubyGems) | 0 | 3.4.2 | N/A |
| stimulus_reflex(npm) | 3.5.0-pre0 | 3.5.0-rc4 | N/A |
| stimulus_reflex(npm) | 0 | 3.4.2 | N/A |
CVSS Metrics
