Posted by lixts via Fulldisclosure on Mar 13

StimulusReflex CVE-2024-28121

Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10.

## Vulnerable code excerpt

stimulus_reflex/lib/stimulus_reflex/reflex.rb
“`
# Invoke the reflex action specified by `name` and run all callbacks
def process(name, *args)
run_callbacks(:process) { public_send(name, *args) }
end
“`

stimulus_reflex/app/channels/stimulus_reflex/channel.rb…

Read More