Vulnerability-Lookup - Search a vulnerability

Vulnerabilites related to rmosolgo - graphql-ruby

CVE-2025-27407 (GCVE-0-2025-27407)

Vulnerability from cvelistv5

Published

2025-03-12 18:15

Modified

2025-03-12 20:47

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.

References

►

URL

Tags

	https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492	x_refsource_CONFIRM
	https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd	x_refsource_MISC
	https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f	x_refsource_MISC
	https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be	x_refsource_MISC
	https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca	x_refsource_MISC
	https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb	x_refsource_MISC
	https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c	x_refsource_MISC
	https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367	x_refsource_MISC
	https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released	x_refsource_MISC
	https://github.com/github-community-projects/graphql-client	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	rmosolgo	graphql-ruby	Version: >= 1.11.5, < 1.11.8 Version: >= 1.12.0, < 1.12.25 Version: >= 1.13.0, < 1.13.24 Version: >= 2.0.0, < 2.0.32 Version: >= 2.1.0, < 2.1.14 Version: >= 2.2.0, < 2.2.17 Version: >= 2.3.0, < 2.3.21

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27407",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-12T18:41:38.718466Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-12T18:42:08.976Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "graphql-ruby",
          "vendor": "rmosolgo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.11.5, \u003c 1.11.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.12.0, \u003c 1.12.25"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.13.0, \u003c 1.13.24"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.32"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.1.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.2.0, \u003c 2.2.17"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.3.0, \u003c 2.3.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-12T20:47:41.948Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492"
        },
        {
          "name": "https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd"
        },
        {
          "name": "https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f"
        },
        {
          "name": "https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be"
        },
        {
          "name": "https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca"
        },
        {
          "name": "https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb"
        },
        {
          "name": "https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c"
        },
        {
          "name": "https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367"
        },
        {
          "name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
        },
        {
          "name": "https://github.com/github-community-projects/graphql-client",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/github-community-projects/graphql-client"
        }
      ],
      "source": {
        "advisory": "GHSA-q92j-grw3-h492",
        "discovery": "UNKNOWN"
      },
      "title": "Remote code execution when loading a crafted GraphQL schema"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27407",
    "datePublished": "2025-03-12T18:15:57.957Z",
    "dateReserved": "2025-02-24T15:51:17.268Z",
    "dateUpdated": "2025-03-12T20:47:41.948Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}