PT-2024-22275 · Unknown · Stimulus Reflex
Felixmartel
·
Published
2024-03-12
·
Updated
2025-12-03
·
CVE-2024-28121
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
stimulus reflex versions prior to 3.4.2
stimulus reflex versions prior to 3.5.0.rc4
Description
The issue allows more methods than expected to be called on reflex instances, which has security implications. To invoke a reflex, a websocket message is sent with a target and arguments. The server instantiates the reflex using the provided class name and attempts to call the method name on the instance with the provided arguments. This is problematic as it can call methods that are not explicitly specified by the developer in their reflex class, such as
instance variable set.The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.
Technical details about exploitation include:
- API Endpoints: A websocket message of the shape
{ "target": "[class name]#[method name]", "args": [] }is sent to invoke a reflex. - Vulnerable Parameters or Variables:
class nameandmethod namecan be used to call arbitrary methods on the reflex instance. - Function Names:
instance variable set,remote byebug,pry, andrender collectionare examples of methods that can be called, which can lead to security issues such as arbitrary code execution.
Recommendations
For versions prior to 3.4.2: Update to version 3.4.2 or later.
For versions prior to 3.5.0.rc4: Update to version 3.5.0.rc4 or later.
As a temporary workaround for unpatched versions, add a guard to mitigate the issue by making sure all reflexes inherit from the
ApplicationReflex class and adding a before reflex callback to check if the method is defined on the class or its ancestors.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Stimulus Reflex