Reflex vulnerable to private state fields modification
Package
Affected versions
>= 0.2.7, < 0.4.9.post1
> 0.4.9.post1, < 0.5.10.post1
> 0.5.10.post1, < 0.6.8.post1
> 0.6.8.post1, < 0.7.1.post1
> 0.7.1.post1, < 0.7.2.post1
> 0.7.2.post1, < 0.7.3.post1
> 0.7.3.post1, < 0.7.4.post1
> 0.7.4.post1, < 0.7.5.post1
> 0.7.5.post1, < 0.7.6.post1
> 0.7.6.post1, < 0.7.7.post1
> 0.7.7.post1, < 0.7.8.post1
> 0.7.8.post1, < 0.7.9.post1
> 0.7.9.post1, < 0.7.10.post1
> 0.7.10.post1, < 0.7.11
Patched versions
0.4.9.post1
0.5.10.post1
0.6.8.post1
0.7.1.post1
0.7.2.post1
0.7.3.post1
0.7.4.post1
0.7.5.post1
0.7.6.post1
0.7.7.post1
0.7.8.post1
0.7.9.post1
0.7.10.post1
0.7.11
Description
Published to the GitHub Advisory Database
May 15, 2025
Reviewed
May 15, 2025
Last updated
May 15, 2025
Credits
-
adhami3310 Coordinator
-
masenf Reporter
-
Kastier1 Coordinator
Summary
A user on the website can modify any private field on their own state.
Details
An event meant to modify client side storage had access to modify any field on the state for the given user. This includes non-client side ones and most importantly private fields. This still requires the actor to guess the name for the private fields.
Impact
If one of the States in your app can be modified to allow the user into a different role or a different user this allows the actor to act as someone else or as admin.
References