cbcvebase.
CVE-2025-27407
published 2025-03-12

CVE-2025-27407: graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and…

PriorityP263critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
2.86%
85.0th percentile
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianruby-graphql< ruby-graphql 1.11.12-0+deb11u1 (bullseye)ruby-graphql 1.11.12-0+deb11u1 (bullseye)
graphqlgraphql>= 1.11.5 < 1.11.111.11.11
graphqlgraphql>= 1.12.0 < 1.12.251.12.25
graphqlgraphql>= 1.13.0 < 1.13.241.13.24
graphqlgraphql>= 2.0.0 < 2.0.322.0.32
graphqlgraphql>= 2.1.0 < 2.1.152.1.15
graphqlgraphql>= 2.2.0 < 2.2.172.2.17
graphqlgraphql>= 2.3.0 < 2.3.212.3.21
graphqlgraphql>= 2.4.0 < 2.4.132.4.13
linuxlinux_kernel>= 0 < 5.15.0-153.1635.15.0-153.163
msrccbl2_kernel_5.15.182.1-1_on_cbl_mariner_2.0
rmosolgographql-ruby
rmosolgographql-ruby
rmosolgographql-ruby
rmosolgographql-ruby
rmosolgographql-ruby
rmosolgographql-ruby
rmosolgographql-ruby

Detection & IOCsextracted from sources · hover to see the quote

  • Remote code execution is triggered via GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load when loading a malicious schema definition from an untrusted JSON source
  • Monitor for GraphQL introspection calls originating from untrusted or external sources, especially where GraphQL::Client is used to load external schemas
  • In GitLab, exploitation requires the Direct Transfer feature to be enabled (disabled by default); monitor for unexpected enablement of this feature combined with authenticated user activity
  • Flag graphql-ruby versions >= 1.11.5 and < patched versions (1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, 2.3.21) in software inventory as vulnerable
  • ·In GitLab, the Direct Transfer feature must be enabled for exploitation; it is disabled by default, so instances with default configuration have reduced exposure
  • ·Red Hat Satellite restricts GraphQL library interaction to authenticated users only and does not dynamically load schemas from external sources, reducing exploitability
  • ·Limiting schema loading to trusted or authenticated users and applying strict input validation on all GraphQL schemas being loaded are recommended mitigations

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
osv9.0CRITICAL
vendor_debian9.0CRITICAL
vendor_redhat9.0CRITICAL
vendor_msrc8.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.