GHSA-q92j-grw3-h492: Code Injection
First published: Wed Mar 12 2025(Updated: )
# Summary Loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use [GraphQL::Client](https://github.com/github-community-projects/graphql-client) to load external schemas via GraphQL introspection.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/graphql | >=1.11.5<1.11.11 | 1.11.11 |
| rubygems/graphql | >=2.1.0<2.1.15 | 2.1.15 |
| rubygems/graphql | >=1.12.0<1.12.25 | 1.12.25 |
| rubygems/graphql | >=1.13.0<1.13.24 | 1.13.24 |
| rubygems/graphql | >=2.0.0<2.0.32 | 2.0.32 |
| rubygems/graphql | >=2.2.10<2.2.17 | 2.2.17 |
| rubygems/graphql | >=2.3.0<2.3.21 | 2.3.21 |
| rubygems/graphql | >=2.4.0<2.4.13 | 2.4.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
- https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
- https://nvd.nist.gov/vuln/detail/CVE-2025-27407
- https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
- https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
- https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
- https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
- https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
- https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
- https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
- https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
- https://github.com/github-community-projects/graphql-client
- https://github.com/advisories/GHSA-q92j-grw3-h492 (Advisory)
Frequently Asked Questions
What is the severity of GHSA-q92j-grw3-h492?
The severity of GHSA-q92j-grw3-h492 is high due to the potential for remote code execution.
How do I fix GHSA-q92j-grw3-h492?
To fix GHSA-q92j-grw3-h492, upgrade to GraphQL version 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, 2.3.21, or 2.4.13.
What types of applications are affected by GHSA-q92j-grw3-h492?
Applications that load a GraphQL schema from untrusted JSON sources are vulnerable to GHSA-q92j-grw3-h492.
Can GHSA-q92j-grw3-h492 impact production environments?
Yes, GHSA-q92j-grw3-h492 can significantly impact production environments due to the risk of remote code execution.
What is the recommended action for developers regarding GHSA-q92j-grw3-h492?
Developers should immediately update their GraphQL library to a secure version to mitigate risks associated with GHSA-q92j-grw3-h492.
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/source
- agent/first-publish-date
- agent/softwarecombine
- agent/type
- agent/description
- agent/event
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q92j-grw3-h492
- alias/CVE-2025-27407
- agent/software-canonical-lookup
- package-manager/rubygems