CVE-2025-27407: Remote code execution when loading a crafted GraphQL schema
First published: Wed Mar 12 2025(Updated: )
# Summary Loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use [GraphQL::Client](https://github.com/github-community-projects/graphql-client) to load external schemas via GraphQL introspection.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| graphql-ruby | >1.11.5<=1.11.8>1.11.8<=1.12.25>1.12.25<=1.13.24>1.13.24<=2.0.32>2.0.32<=2.1.14>2.1.14<=2.2.17>2.2.17<=2.3.21 | |
| rubygems/graphql | >=1.11.5<1.11.11 | 1.11.11 |
| rubygems/graphql | >=2.1.0<2.1.15 | 2.1.15 |
| rubygems/graphql | >=1.12.0<1.12.25 | 1.12.25 |
| rubygems/graphql | >=1.13.0<1.13.24 | 1.13.24 |
| rubygems/graphql | >=2.0.0<2.0.32 | 2.0.32 |
| rubygems/graphql | >=2.2.10<2.2.17 | 2.2.17 |
| rubygems/graphql | >=2.3.0<2.3.21 | 2.3.21 |
| rubygems/graphql | >=2.4.0<2.4.13 | 2.4.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
- https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
- https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
- https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
- https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
- https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
- https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
- https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
- https://github.com/github-community-projects/graphql-client
- https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
- https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
- https://nvd.nist.gov/vuln/detail/CVE-2025-27407
- https://github.com/advisories/GHSA-q92j-grw3-h492 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-27407?
CVE-2025-27407 has been classified with a severity level indicating potential impact due to the loading of a malicious schema.
How do I fix CVE-2025-27407?
To fix CVE-2025-27407, upgrade to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, or 2.3.21 of graphql-ruby.
Which versions of graphql-ruby are affected by CVE-2025-27407?
The affected versions of graphql-ruby range from 1.11.5 to 1.11.8, from 1.12.0 to 1.12.25, and several other specific versions until 2.3.21.
What kind of vulnerability is CVE-2025-27407?
CVE-2025-27407 is a vulnerability related to the unsafe loading of malicious schema definitions in the graphql-ruby implementation.
Is there a specific method that is vulnerable in CVE-2025-27407?
Yes, the methods `GraphQL::Schema.from_introspection` and `GraphQL::Schema::Loader.load` are specifically vulnerable in CVE-2025-27407.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/author
- agent/severity
- agent/source
- agent/description
- agent/event
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q92j-grw3-h492
- alias/CVE-2025-27407
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- vendor/graphql-ruby
- canonical/graphql-ruby
- package-manager/rubygems