Headline
GHSA-q92j-grw3-h492: graphql allows remote code execution when loading a crafted GraphQL schema
Summary
Loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-27407
graphql allows remote code execution when loading a crafted GraphQL schema
Critical severity GitHub Reviewed Published Mar 12, 2025 in rmosolgo/graphql-ruby • Updated Mar 12, 2025
Package
Affected versions
>= 2.4.0, < 2.4.13
>= 2.3.0, < 2.3.21
>= 2.2.10, < 2.2.17
>= 2.1.0, < 2.1.14
>= 2.0.0, < 2.0.32
>= 1.13.0, < 1.13.24
>= 1.12.0, < 1.12.25
>= 1.11.5, < 1.11.8
Patched versions
2.4.13
2.3.21
2.2.17
2.1.14
2.0.32
1.13.24
1.12.25
1.11.8
Summary
Loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection.
References
- GHSA-q92j-grw3-h492
- rmosolgo/graphql-ruby@e58676c
Published to the GitHub Advisory Database
Mar 12, 2025
Last updated
Mar 12, 2025