stimulus_reflex@2.2.3 vulnerabilities

Build reactive applications with the Rails tooling you already know and love.

latest version

3.5.2
latest non vulnerable version

3.5.2
first published

5 years ago
latest version published

5 months ago
licenses detected
- MIT
  >=0
View stimulus_reflex package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the stimulus_reflex package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Unsafe Reflection stimulus_reflex is a Build reactive applications with the Rails tooling you already know and love. Affected versions of this package are vulnerable to Unsafe Reflection due to the handling of websocket messages that allow specifying a `class_name` and `method_name`. An attacker can manipulate the server-side behavior and potentially cause denial of service by crafting malicious websocket messages that invoke unintended methods on the server. This is particularly concerning with methods like `instance_variable_set`, which can be used to alter instance variables and influence the application's logic in a harmful way. Additionally, methods intended for debugging or interactive sessions, such as `remote_byebug` or `pry`, can be invoked, leading to further security implications. The vulnerability is exacerbated by the fact that the validation of method calls based on required and optional parameters does not adequately restrict access to sensitive or unintended methods. Note: Versions `>=3.5.0.rc1 <3.5.0.rc4` contain a `render_collection` method on reflexes with a `:req` parameter. Calling this method could lead to arbitrary code execution. How to fix Unsafe Reflection? Upgrade `stimulus_reflex` to version 3.4.2, 3.5.0-rc4 or higher.	<3.4.2 >=3.5.0-pre0 <3.5.0-rc4

Unsafe Reflection

stimulus_reflex is a Build reactive applications with the Rails tooling you already know and love.

Affected versions of this package are vulnerable to Unsafe Reflection due to the handling of websocket messages that allow specifying a class_name and method_name. An attacker can manipulate the server-side behavior and potentially cause denial of service by crafting malicious websocket messages that invoke unintended methods on the server. This is particularly concerning with methods like instance_variable_set, which can be used to alter instance variables and influence the application's logic in a harmful way. Additionally, methods intended for debugging or interactive sessions, such as remote_byebug or pry, can be invoked, leading to further security implications. The vulnerability is exacerbated by the fact that the validation of method calls based on required and optional parameters does not adequately restrict access to sensitive or unintended methods.

Note:

Versions >=3.5.0.rc1 <3.5.0.rc4 contain a render_collection method on reflexes with a :req parameter. Calling this method could lead to arbitrary code execution.

How to fix Unsafe Reflection?

Upgrade stimulus_reflex to version 3.4.2, 3.5.0-rc4 or higher.

<3.4.2 >=3.5.0-pre0 <3.5.0-rc4

Go back to all versions of this package

stimulus_reflex@2.2.3 vulnerabilities

Build reactive applications with the Rails tooling you already know and love.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities