CVE-2024-28121 – Reflex arbitrary method call in stimulus_reflex

https://notcve.org/view.php?id=CVE-2024-28121

12 Mar 2024 — stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class... • https://packetstorm.news/files/id/177595 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •