CVE-2025-27407
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-27407
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-27407.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-27407
- Aliases
- Related
- Withdrawn
- 2025-03-17T16:50:08.354449Z
- Published
- 2025-03-12T19:15:40Z
- Modified
- 2025-03-17T05:50:46.711033Z
- Downstream
- Summary
- [none]
- Details
-
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in
GraphQL::Schema.from_introspection(orGraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue. - References
-
- https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
- https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
- https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
- https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
- https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
- https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
- https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
- https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
- https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
- https://github.com/github-community-projects/graphql-client
- https://security-tracker.debian.org/tracker/CVE-2025-27407
Affected packages
Debian:11 / ruby-graphql
Package
- Name
- ruby-graphql
- Purl
- pkg:deb/debian/ruby-graphql?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Debian:12 / ruby-graphql
Package
- Name
- ruby-graphql
- Purl
- pkg:deb/debian/ruby-graphql?arch=source
Debian:13 / ruby-graphql
Package
- Name
- ruby-graphql
- Purl
- pkg:deb/debian/ruby-graphql?arch=source
Git / github.com/rmosolgo/graphql-ruby
Affected ranges
- Type
- GIT
- Repo
- https://github.com/rmosolgo/graphql-ruby
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixedFixedFixedFixed
Affected versions
graphql-c_parser-v1.*
graphql-c_parser-v1.0.2
graphql-c_parser-v1.0.3
graphql-c_parser-v1.0.4
graphql-c_parser-v1.0.5
graphql-c_parser-v1.0.6
graphql-c_parser-v1.0.7
graphql-c_parser-v1.0.8
graphql-c_parser-v1.1.0
graphql-c_parser-v1.1.1
Other
shopify-2016-07-27
v0.*
v0.1.0
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.7
v0.10.8
v0.10.9
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.10
v0.18.11
v0.18.12
v0.18.13
v0.18.14
v0.18.15
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.18.7
v0.18.8
v0.18.9
v0.19.0
v0.19.1
v0.19.2
v0.19.3
v0.19.4
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.9.0
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.10.0
v1.10.0.pre1
v1.10.0.pre2
v1.10.0.pre3
v1.10.0.pre4
v1.10.1
v1.10.10
v1.10.11
v1.10.12
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.10.6
v1.10.7
v1.10.8
v1.10.8.dev1
v1.10.9
v1.11.0
v1.11.1
v1.11.2
v1.11.3
v1.11.4
v1.11.5
v1.11.6
v1.11.7
v1.12.0
v1.12.1
v1.12.10
v1.12.11
v1.12.12
v1.12.13
v1.12.14
v1.12.15
v1.12.16
v1.12.17
v1.12.18
v1.12.19
v1.12.2
v1.12.20
v1.12.21
v1.12.22
v1.12.23
v1.12.24
v1.12.3
v1.12.4
v1.12.5
v1.12.6
v1.12.7
v1.12.8
v1.12.9
v1.13.0
v1.13.1
v1.13.10
v1.13.11
v1.13.12
v1.13.13
v1.13.14
v1.13.15
v1.13.16
v1.13.17
v1.13.18
v1.13.19
v1.13.2
v1.13.20
v1.13.21
v1.13.22
v1.13.23
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.13.7
v1.13.8
v1.13.9
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.4.0
v1.4.1
v1.5.0
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.2
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.6
v1.6.7
v1.6.8
v1.7.0
v1.7.1
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.14
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.8.0.pre10
v1.8.0.pre11
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.14
v1.8.15
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.0.pre1
v1.9.0.pre2
v1.9.0.pre3
v1.9.0.pre4
v1.9.1
v1.9.10
v1.9.11
v1.9.12
v1.9.13
v1.9.14
v1.9.15
v1.9.16
v1.9.17
v1.9.18
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9
v2.*
v2.0.0
v2.0.1
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.25
v2.0.26
v2.0.27
v2.0.28
v2.0.29
v2.0.3
v2.0.30
v2.0.31
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9