{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-27407", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-24T15:51:17.268Z", "datePublished": "2025-03-12T18:15:57.957Z", "dateUpdated": "2025-11-03T19:45:32.739Z"}, "containers": {"cna": {"title": "Remote code execution when loading a crafted GraphQL schema", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492"}, {"name": "https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd", "tags": ["x_refsource_MISC"], "url": "https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd"}, {"name": "https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f", "tags": ["x_refsource_MISC"], "url": "https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f"}, {"name": "https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be", "tags": ["x_refsource_MISC"], "url": "https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be"}, {"name": "https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca", "tags": ["x_refsource_MISC"], "url": "https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca"}, {"name": "https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb", "tags": ["x_refsource_MISC"], "url": "https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb"}, {"name": "https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c", "tags": ["x_refsource_MISC"], "url": "https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c"}, {"name": "https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367", "tags": ["x_refsource_MISC"], "url": "https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367"}, {"name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released", "tags": ["x_refsource_MISC"], "url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"}, {"name": "https://github.com/github-community-projects/graphql-client", "tags": ["x_refsource_MISC"], "url": "https://github.com/github-community-projects/graphql-client"}], "affected": [{"vendor": "rmosolgo", "product": "graphql-ruby", "versions": [{"version": ">= 1.11.5, < 1.11.8", "status": "affected"}, {"version": ">= 1.12.0, < 1.12.25", "status": "affected"}, {"version": ">= 1.13.0, < 1.13.24", "status": "affected"}, {"version": ">= 2.0.0, < 2.0.32", "status": "affected"}, {"version": ">= 2.1.0, < 2.1.14", "status": "affected"}, {"version": ">= 2.2.0, < 2.2.17", "status": "affected"}, {"version": ">= 2.3.0, < 2.3.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-12T20:47:41.948Z"}, "descriptions": [{"lang": "en", "value": "graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue."}], "source": {"advisory": "GHSA-q92j-grw3-h492", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T18:41:38.718466Z", "id": "CVE-2025-27407", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T18:42:08.976Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00002.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:45:32.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-12T18:41:38.718466Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T18:41:44.359Z"}}], "cna": {"title": "Remote code execution when loading a crafted GraphQL schema", "source": {"advisory": "GHSA-q92j-grw3-h492", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rmosolgo", "product": "graphql-ruby", "versions": [{"status": "affected", "version": ">= 1.11.5, < 1.11.8"}, {"status": "affected", "version": ">= 1.12.0, < 1.12.25"}, {"status": "affected", "version": ">= 1.13.0, < 1.13.24"}, {"status": "affected", "version": ">= 2.0.0, < 2.0.32"}, {"status": "affected", "version": ">= 2.1.0, < 2.1.14"}, {"status": "affected", "version": ">= 2.2.0, < 2.2.17"}, {"status": "affected", "version": ">= 2.3.0, < 2.3.21"}]}], "references": [{"url": "https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492", "name": "https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd", "name": "https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f", "name": "https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be", "name": "https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca", "name": "https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb", "name": "https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c", "name": "https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367", "name": "https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367", "tags": ["x_refsource_MISC"]}, {"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released", "name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/github-community-projects/graphql-client", "name": "https://github.com/github-community-projects/graphql-client", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-12T20:47:41.948Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27407", "state": "PUBLISHED", "dateUpdated": "2025-03-12T20:47:41.948Z", "dateReserved": "2025-02-24T15:51:17.268Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-12T18:15:57.957Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue."}, {"lang": "es", "value": "graphql-ruby es una implementaci\u00f3n Ruby de GraphQL. A partir de la versi\u00f3n 1.11.5 y anteriores a las versiones 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17 y 2.3.21, cargar una definici\u00f3n de esquema maliciosa en `GraphQL::Schema.from_introspection` (o `GraphQL::Schema::Loader.load`) puede provocar la ejecuci\u00f3n remota de c\u00f3digo. Cualquier sistema que cargue un esquema mediante JSON desde una fuente no confiable es vulnerable, incluyendo aquellos que usan GraphQL::Client para cargar esquemas externos mediante la introspecci\u00f3n de GraphQL. Las versiones 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17 y 2.3.21 contienen un parche para el problema."}], "id": "CVE-2025-27407", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-03-12T19:15:40.597", "references": [{"source": "security-advisories@github.com", "url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"}, {"source": "security-advisories@github.com", "url": "https://github.com/github-community-projects/graphql-client"}, {"source": "security-advisories@github.com", "url": "https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd"}, {"source": "security-advisories@github.com", "url": "https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f"}, {"source": "security-advisories@github.com", "url": "https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be"}, {"source": "security-advisories@github.com", "url": "https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca"}, {"source": "security-advisories@github.com", "url": "https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb"}, {"source": "security-advisories@github.com", "url": "https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c"}, {"source": "security-advisories@github.com", "url": "https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367"}, {"source": "security-advisories@github.com", "url": "https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00002.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3492", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "impact": "important", "package": "rubygem-graphql-0:1.13.24-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3491", "cpe": "cpe:/a:redhat:satellite:6.15::el8", "impact": "important", "package": "rubygem-graphql-0:1.13.24-1.el8sat", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3490", "cpe": "cpe:/a:redhat:satellite:6.16::el8", "impact": "important", "package": "rubygem-graphql-0:1.13.24-1.el8sat", "product_name": "Red Hat Satellite 6.16 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3490", "cpe": "cpe:/a:redhat:satellite:6.16::el9", "impact": "important", "package": "rubygem-graphql-0:1.13.24-1.el9sat", "product_name": "Red Hat Satellite 6.16 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:4576", "cpe": "cpe:/a:redhat:satellite:6.17::el9", "impact": "important", "package": "rubygem-graphql-0:1.13.24-1.el9sat", "product_name": "Red Hat Satellite 6.17 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}], "bugzilla": {"description": "graphql-ruby: Remote code execution when loading a crafted GraphQL schema", "id": "2351767", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351767"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.", "A flaw was found in graphql-ruby. In affected versions of graphq-ruby, loading a malicious schema definition in the `GraphQL::Schema.from_introspection` or the `GraphQL::Schema::Loader.load` can cause remote code execution. Any system that loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection."], "mitigation": {"lang": "en:us", "value": "A successful exploitation of this flaw requires GraphQL schema loading. Limiting the schema loading to trusted or authenticated users will limit the impact of the vulnerability. Coupling that with a strict input validation for all GraphQL schema being loaded would reduce the risk of a successful attack and cover as a possible mitigation strategy for this vulnerability."}, "name": "CVE-2025-27407", "public_date": "2025-03-12T18:15:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27407\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27407\nhttps://github.com/github-community-projects/graphql-client\nhttps://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd\nhttps://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f\nhttps://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be\nhttps://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca\nhttps://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb\nhttps://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c\nhttps://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367\nhttps://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492"], "statement": "This vulnerability is marked as Important rather than Critical because interaction with the vulnerable GraphQL library is restricted to only authenticated users in Red Hat Satellite. Satellite does not dynamically load schemas from external sources, further reducing the feasibility of exploitation.", "threat_severity": "Important"}

{}