{ "schema_version": "1.4.0", "id": "GHSA-q92j-grw3-h492", "modified": "2025-03-24T14:49:01Z", "published": "2025-03-12T19:28:00Z", "aliases": [ "CVE-2025-27407" ], "summary": "graphql allows remote code execution when loading a crafted GraphQL schema", "details": "# Summary\n\nLoading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use [GraphQL::Client](https://github.com/github-community-projects/graphql-client) to load external schemas via GraphQL introspection.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "graphql" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.4.0" }, { "fixed": "2.4.13" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "graphql" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.3.0" }, { "fixed": "2.3.21" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "graphql" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.2.0" }, { "fixed": "2.2.17" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "graphql" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.1.0" }, { "fixed": "2.1.15" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "graphql" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.32" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "graphql" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.13.0" }, { "fixed": "1.13.24" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "graphql" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.12.0" }, { "fixed": "1.12.25" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "graphql" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.11.5" }, { "fixed": "1.11.11" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27407" }, { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd" }, { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f" }, { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be" }, { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca" }, { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb" }, { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c" }, { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367" }, { "type": "WEB", "url": "https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e" }, { "type": "WEB", "url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released" }, { "type": "WEB", "url": "https://github.com/github-community-projects/graphql-client" }, { "type": "PACKAGE", "url": "https://github.com/rmosolgo/graphql-ruby" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphql/CVE-2025-27407.yml" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-03-12T19:28:00Z", "nvd_published_at": "2025-03-12T19:15:40Z" } }