CVSS 3.1 Score 8.8 of 10 (high)


Published Mar 12, 2024
Updated: Mar 13, 2024
CWE ID 470


CVE-2024-28121 is a vulnerability that affects the stimulus_reflex system, which is used to extend the capabilities of Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. The vulnerability allows for more methods to be called on reflex instances than intended, which poses security risks. To exploit this vulnerability, a websocket message in the format of \"target\":\"[class_name]#[method_name]\",\"args\":[] needs to be sent. The issue has been patched in versions 3.4.2 and 3.5.0.rc4. Users who are unable to upgrade should refer to the GHSA advisory for mitigation advice. The vulnerability has a base severity rating of HIGH and can potentially have a high impact on confidentiality and integrity of an organization's system.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-28121 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options