CVE-2025-62379

Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirectto query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a...

GHSA-RFH5-C9H5-Q8JM reflex-dev/reflex has an Open Redirect vulnerability

Mitigation Make sure GITHUBCODESPACESPORTFORWARDINGDOMAIN is not set in a production environment. So the following is correct: assert os.getenv"GITHUBCODESPACESPORTFORWARDINGDOMAIN" is None Vulnerability Description --- Vulnerability Overview - When the GET /auth-codespace page loads in a GitHub...

pycodium (>=0.1.0 <=0.2.1), reflex-ai (>=0.1.0a1 <=0.1.0a18) +10 more potentially affected by CVE-2025-62379 via reflex (>=0.6.0a4 <=0.8.0a7)

reflex PYPI version =0.6.0a4, =0.1.0, =0.1.0a1, =0.2.0, =0.0.1, =0.1.6, =1.0.0, =0.0.9, =10.0.11, =10.0.28 Source cves: CVE-2025-62379 Source advisory: SNYK:PYTHON-REFLEX-13560525...

Reflex 输入验证错误漏洞

Reflex is a web application from the Reflex open source. An input validation error vulnerability exists in Reflex versions 0.5.4 through 0.8.14, which stems from an unvalidated redirectto query parameter value that could cause a user to be redirected to an arbitrary external URL...

pycodium (>=0.1.0 <=0.2.1), reflex-icon-library (=1.4.2) potentially affected by CVE-2025-47425 via reflex (>=0.7.12 <=0.7.14)

reflex PYPI version =0.7.12, =0.1.0, =0.2.1 - reflex-icon-library =1.4.2 Source cves: CVE-2025-47425 Source advisory: SNYK:PYTHON-REFLEX-10442544...

CVE-2024-28121 Reflex arbitrary method call in stimulus_reflex

stimulusreflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security...