{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T14:48:19.363","vulnerabilities":[{"cve":{"id":"CVE-2024-28121","sourceIdentifier":"security-advisories@github.com","published":"2024-03-12T20:15:08.313","lastModified":"2025-12-03T17:13:55.833","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\\\"target\\\":\\\"[class_name]#[method_name]\\\",\\\"args\\\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice."},{"lang":"es","value":"stimulus_reflex es un sistema para ampliar las capacidades de Rails y Stimulus interceptando las interacciones del usuario y pasándolas a Rails a través de websockets en tiempo real. En las versiones afectadas se pueden invocar más métodos de los esperados en instancias reflejas. Poder llamar a algunos de ellos tiene implicaciones de seguridad. Para invocar un reflejo, se envía un mensaje websocket con la siguiente forma: `\\\"target\\\":\\\"[class_name]#[method_name]\\\",\\\"args\\\":[]`. El servidor procederá a crear una instancia de `reflex` utilizando el `class_name` proporcionado siempre que extienda `StimulusReflex::Reflex`. Luego intenta llamar a \"method_name\" en la instancia con los argumentos proporcionados. Esto es problemático ya que `reflex.method method_name` puede contener más métodos que los especificados explícitamente por el desarrollador en su clase refleja. Un buen ejemplo es el método instance_variable_set. Esta vulnerabilidad ha sido parcheada en las versiones 3.4.2 y 3.5.0.rc4. Los usuarios que no puedan actualizar deben: consultar el aviso de respaldo de GHSA para obtener consejos de mitigación."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-470"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:*:*:*:*:*:*:*:*","versionEndExcluding":"3.4.2","matchCriteriaId":"D2AF2E16-66DC-4D13-9874-5A085F749360"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre1:*:*:*:*:*:*","matchCriteriaId":"43E5D805-62D2-4F50-A685-84085E31B857"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre10:*:*:*:*:*:*","matchCriteriaId":"2C430B21-0D71-4B80-BBE1-CF1BBAF8190D"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre2:*:*:*:*:*:*","matchCriteriaId":"21D141A2-60A1-4F5C-955C-D40E70B3F12C"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre3:*:*:*:*:*:*","matchCriteriaId":"453438E7-1F0B-43A9-8D94-A7510B0094FF"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre4:*:*:*:*:*:*","matchCriteriaId":"57412721-4013-4EB3-AA4B-FB76773A5534"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre5:*:*:*:*:*:*","matchCriteriaId":"6BB95FE6-38EE-436B-93C7-A20967D9D03E"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre6:*:*:*:*:*:*","matchCriteriaId":"D2CC3F1D-547A-4A03-A7D1-71132744B0CA"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre7:*:*:*:*:*:*","matchCriteriaId":"70DA9FDB-843D-4D14-89F3-88DB9AF46CA7"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre8:*:*:*:*:*:*","matchCriteriaId":"67299098-B253-4678-9C40-F6980EDF0879"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre9:*:*:*:*:*:*","matchCriteriaId":"FDB23841-1F34-44D2-B9DC-ED9736515754"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc1:*:*:*:*:*:*","matchCriteriaId":"D57C60F7-EBEC-4DDA-9649-2D4ABA117F09"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc2:*:*:*:*:*:*","matchCriteriaId":"604C86CB-59CF-4B84-A1D3-D0E982207FE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc3:*:*:*:*:*:*","matchCriteriaId":"A096C05D-53EA-4713-A0B4-6AF522CC36A2"}]}]}],"references":[{"url":"http://seclists.org/fulldisclosure/2024/Mar/16","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83","source":"security-advisories@github.com","tags":["Technical Description"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/commit/538582d240439aab76066c72335ea92096cd0c7f","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"http://seclists.org/fulldisclosure/2024/Mar/16","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Technical Description"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/commit/538582d240439aab76066c72335ea92096cd0c7f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product","Release Notes"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product","Release Notes"]},{"url":"https://github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Vendor Advisory"]}]}}]}