{"id":"CVE-2025-27407","summary":"Remote code execution when loading a crafted GraphQL schema","details":"graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.","aliases":["GHSA-q92j-grw3-h492"],"modified":"2026-04-10T05:24:51.408099Z","published":"2025-03-12T18:15:57.957Z","database_specific":{"cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27407.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27407.json"},{"type":"ADVISORY","url":"https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27407"},{"type":"FIX","url":"https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd"},{"type":"FIX","url":"https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f"},{"type":"FIX","url":"https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be"},{"type":"FIX","url":"https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca"},{"type":"FIX","url":"https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb"},{"type":"FIX","url":"https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c"},{"type":"FIX","url":"https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367"},{"type":"PACKAGE","url":"https://github.com/github-community-projects/graphql-client"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rmosolgo/graphql-ruby","events":[{"introduced":"bc699e57f7583ec4c5ed4bddae2b5f870b5b76d0"},{"fixed":"9069ba310846dea7636dd24ca0c743eccf4beb3d"}],"database_specific":{"versions":[{"introduced":"1.11.5"},{"fixed":"1.11.8"}]}},{"type":"GIT","repo":"https://github.com/rmosolgo/graphql-ruby","events":[{"introduced":"a9a7373a1fbf91cbcc10a1385cc4cf8c2af8254d"},{"fixed":"e5e8e3b04a13389e876fb153e8e72d4434de1513"}],"database_specific":{"versions":[{"introduced":"1.12.0"},{"fixed":"1.12.25"}]}},{"type":"GIT","repo":"https://github.com/rmosolgo/graphql-ruby","events":[{"introduced":"ec0611acdadf39243ac680a0224550a09d0fc043"},{"fixed":"887193770b8d0e6a0d3f15b58addc495c998e413"}],"database_specific":{"versions":[{"introduced":"1.13.0"},{"fixed":"1.13.24"}]}},{"type":"GIT","repo":"https://github.com/rmosolgo/graphql-ruby","events":[{"introduced":"134e04cc93a580445a01178d69edc49e8aba0eeb"},{"fixed":"5f74806f72f86d9245d0719477a4de7abf5eb076"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.0.32"}]}},{"type":"GIT","repo":"https://github.com/rmosolgo/graphql-ruby","events":[{"introduced":"7565aa84a88f2fa2bfdabb1c43b9221ddd9e431f"},{"fixed":"a1e3f51f17adb62f8a6fc4b6d542f25a354f9719"}],"database_specific":{"versions":[{"introduced":"2.1.0"},{"fixed":"2.1.14"}]}},{"type":"GIT","repo":"https://github.com/rmosolgo/graphql-ruby","events":[{"introduced":"8270480f4264ab31ae84dc225937cbd03e2a4843"},{"fixed":"efbbdae81c7a18fc13424a7aae60c52c312f38c5"}],"database_specific":{"versions":[{"introduced":"2.2.0"},{"fixed":"2.2.17"}]}},{"type":"GIT","repo":"https://github.com/rmosolgo/graphql-ruby","events":[{"introduced":"c9a86dc4b9b3224f54fd17fa69194ece5e54dd46"},{"fixed":"f20c5c3c83761ebe2ce084f3a693ad4a03d5682d"}],"database_specific":{"versions":[{"introduced":"2.3.0"},{"fixed":"2.3.21"}]}}],"versions":["graphql-c_parser-v1.0.2","graphql-c_parser-v1.0.3","graphql-c_parser-v1.0.4","graphql-c_parser-v1.0.5","graphql-c_parser-v1.0.6","graphql-c_parser-v1.0.7","graphql-c_parser-v1.0.8","graphql-c_parser-v1.1.0","graphql-c_parser-v1.1.1","v1.0.1","v1.11.5","v1.11.6","v1.11.7","v1.12.0","v1.12.1","v1.12.10","v1.12.11","v1.12.12","v1.12.13","v1.12.14","v1.12.15","v1.12.16","v1.12.17","v1.12.18","v1.12.19","v1.12.2","v1.12.20","v1.12.21","v1.12.22","v1.12.23","v1.12.24","v1.12.3","v1.12.4","v1.12.5","v1.12.6","v1.12.7","v1.12.8","v1.12.9","v1.13.0","v1.13.1","v1.13.10","v1.13.11","v1.13.12","v1.13.13","v1.13.14","v1.13.15","v1.13.16","v1.13.17","v1.13.18","v1.13.19","v1.13.2","v1.13.20","v1.13.21","v1.13.22","v1.13.23","v1.13.3","v1.13.4","v1.13.5","v1.13.6","v1.13.7","v1.13.8","v1.13.9","v2.0.0","v2.0.1","v2.0.11","v2.0.12","v2.0.13","v2.0.14","v2.0.15","v2.0.16","v2.0.17","v2.0.18","v2.0.19","v2.0.2","v2.0.20","v2.0.21","v2.0.22","v2.0.23","v2.0.24","v2.0.25","v2.0.26","v2.0.27","v2.0.28","v2.0.29","v2.0.3","v2.0.30","v2.0.31","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.0.9","v2.1.0","v2.1.1","v2.1.10","v2.1.11","v2.1.12","v2.1.13","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.1","v2.2.10","v2.2.11","v2.2.12","v2.2.13","v2.2.14","v2.2.15","v2.2.16","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.1","v2.3.10","v2.3.11","v2.3.12","v2.3.13","v2.3.14","v2.3.15","v2.3.16","v2.3.17","v2.3.18","v2.3.19","v2.3.2","v2.3.20","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27407.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}