GHSA-rf8x-9mhr-49wg: Reflex vulnerable to private state fields modification

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-47425

Reflex vulnerable to private state fields modification

High severity GitHub Reviewed Published May 14, 2025 in reflex-dev/reflex • Updated May 15, 2025

Affected versions

>= 0.2.7, < 0.4.9.post1

> 0.4.9.post1, < 0.5.10.post1

> 0.5.10.post1, < 0.6.8.post1

> 0.6.8.post1, < 0.7.1.post1

> 0.7.1.post1, < 0.7.2.post1

> 0.7.2.post1, < 0.7.3.post1

> 0.7.3.post1, < 0.7.4.post1

> 0.7.4.post1, < 0.7.5.post1

> 0.7.5.post1, < 0.7.6.post1

> 0.7.6.post1, < 0.7.7.post1

> 0.7.7.post1, < 0.7.8.post1

> 0.7.8.post1, < 0.7.9.post1

> 0.7.9.post1, < 0.7.10.post1

> 0.7.10.post1, < 0.7.11

Patched versions

0.4.9.post1

0.5.10.post1

0.6.8.post1

0.7.1.post1

0.7.2.post1

0.7.3.post1

0.7.4.post1

0.7.5.post1

0.7.6.post1

0.7.7.post1

0.7.8.post1

0.7.9.post1

0.7.10.post1

0.7.11

Summary

A user on the website can modify any private field on their own state.

Details

An event meant to modify client side storage had access to modify any field on the state for the given user. This includes non-client side ones and most importantly private fields. This still requires the actor to guess the name for the private fields.

Impact

If one of the States in your app can be modified to allow the user into a different role or a different user this allows the actor to act as someone else or as admin.

References

• GHSA-rf8x-9mhr-49wg
• reflex-dev/reflex@cf8f5db

Published to the GitHub Advisory Database

May 15, 2025

Last updated

May 15, 2025