CVE-2025-27407
published 2025-03-12CVE-2025-27407: graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and…
PriorityP263critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
2.86%
85.0th percentile
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-graphql | < ruby-graphql 1.11.12-0+deb11u1 (bullseye) | ruby-graphql 1.11.12-0+deb11u1 (bullseye) |
| graphql | graphql | >= 1.11.5 < 1.11.11 | 1.11.11 |
| graphql | graphql | >= 1.12.0 < 1.12.25 | 1.12.25 |
| graphql | graphql | >= 1.13.0 < 1.13.24 | 1.13.24 |
| graphql | graphql | >= 2.0.0 < 2.0.32 | 2.0.32 |
| graphql | graphql | >= 2.1.0 < 2.1.15 | 2.1.15 |
| graphql | graphql | >= 2.2.0 < 2.2.17 | 2.2.17 |
| graphql | graphql | >= 2.3.0 < 2.3.21 | 2.3.21 |
| graphql | graphql | >= 2.4.0 < 2.4.13 | 2.4.13 |
| linux | linux_kernel | >= 0 < 5.15.0-153.163 | 5.15.0-153.163 |
| msrc | cbl2_kernel_5.15.182.1-1_on_cbl_mariner_2.0 | — | — |
| rmosolgo | graphql-ruby | — | — |
| rmosolgo | graphql-ruby | — | — |
| rmosolgo | graphql-ruby | — | — |
| rmosolgo | graphql-ruby | — | — |
| rmosolgo | graphql-ruby | — | — |
| rmosolgo | graphql-ruby | — | — |
| rmosolgo | graphql-ruby | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Remote code execution is triggered via GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load when loading a malicious schema definition from an untrusted JSON source ↗
- →Monitor for GraphQL introspection calls originating from untrusted or external sources, especially where GraphQL::Client is used to load external schemas ↗
- →In GitLab, exploitation requires the Direct Transfer feature to be enabled (disabled by default); monitor for unexpected enablement of this feature combined with authenticated user activity ↗
- →Flag graphql-ruby versions >= 1.11.5 and < patched versions (1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, 2.3.21) in software inventory as vulnerable ↗
- ·In GitLab, the Direct Transfer feature must be enabled for exploitation; it is disabled by default, so instances with default configuration have reduced exposure ↗
- ·Red Hat Satellite restricts GraphQL library interaction to authenticated users only and does not dynamically load schemas from external sources, reducing exploitability ↗
- ·Limiting schema loading to trusted or authenticated users and applying strict input validation on all GraphQL schemas being loaded are recommended mitigations ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
osv9.0CRITICAL
vendor_debian9.0CRITICAL
vendor_redhat9.0CRITICAL
vendor_msrc8.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux-azure, linux-azure-5.15, linux-azure-fips vulnerabilities
osv·2025-09-18·CVSS 8.4
CVE-2024-27407 linux-azure, linux-azure-5.15, linux-azure-fips vulnerabilities
linux-azure, linux-azure-5.15, linux-azure-fips vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- NTFS3 file system;
- Network traffic control;
(CVE-2024-27407, CVE-2024-57996, CVE-2025-37752, CVE-2025-38350)
OSV
linux-gke, linux-ibm-5.15, linux-kvm vulnerabilities
osv·2025-09-02·CVSS 8.4
CVE-2024-27407 linux-gke, linux-ibm-5.15, linux-kvm vulnerabilities
linux-gke, linux-ibm-5.15, linux-kvm vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- NTFS3 file system;
- Network traffic control;
(CVE-2024-27407, CVE-2024-57996, CVE-2025-37752, CVE-2025-38350)
OSV
linux-realtime, linux-intel-iot-realtime vulnerabilities
osv·2025-08-28·CVSS 8.4
CVE-2024-27407 linux-realtime, linux-intel-iot-realtime vulnerabilities
linux-realtime, linux-intel-iot-realtime vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- NTFS3 file system;
- Network traffic control;
(CVE-2024-27407, CVE-2024-57996, CVE-2025-37752, CVE-2025-38350)
OSV
linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia,
osv·2025-08-28·CVSS 8.4
linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia,
linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- NTFS3 file system;
- Network traffic control;
(CVE-2024-27407, CVE-2024-57996, CVE-2025-37752, CVE-2025-38350)
OSV
linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
osv·2025-08-28·CVSS 8.4
CVE-2024-27407 linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- NTFS3 file system;
- Network traffic control;
(CVE-2024-27407, CVE-2024-57996, CVE-2025-37752, CVE-2025-38350)
OSV
CVE-2025-27407: graphql-ruby is a Ruby implementation of GraphQL
osv·2025-03-12·CVSS 9.0
CVE-2025-27407 [CRITICAL] CVE-2025-27407: graphql-ruby is a Ruby implementation of GraphQL
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.
OSV
graphql allows remote code execution when loading a crafted GraphQL schema
osv·2025-03-12
CVE-2025-27407 [CRITICAL] graphql allows remote code execution when loading a crafted GraphQL schema
graphql allows remote code execution when loading a crafted GraphQL schema
# Summary
Loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use [GraphQL::Client](https://github.com/github-community-projects/graphql-client) to load external schemas via GraphQL introspection.
GHSA
graphql allows remote code execution when loading a crafted GraphQL schema
ghsa·2025-03-12
CVE-2025-27407 [CRITICAL] CWE-94 graphql allows remote code execution when loading a crafted GraphQL schema
graphql allows remote code execution when loading a crafted GraphQL schema
# Summary
Loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use [GraphQL::Client](https://github.com/github-community-projects/graphql-client) to load external schemas via GraphQL introspection.
Red Hat
graphql-ruby: Remote code execution when loading a crafted GraphQL schema
vendor_redhat·2025-03-12·CVSS 9.0
CVE-2025-27407 [CRITICAL] CWE-94 graphql-ruby: Remote code execution when loading a crafted GraphQL schema
graphql-ruby: Remote code execution when loading a crafted GraphQL schema
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.
A flaw was found in graphql-ruby. In affected versions of graphq-ruby, loading a malicious schema definition in the `GraphQL::Schema.from_
Debian
CVE-2025-27407: ruby-graphql - graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and...
vendor_debian·2025·CVSS 9.0
CVE-2025-27407 [CRITICAL] CVE-2025-27407: ruby-graphql - graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and...
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1.11.12-0+deb11u1)
forky: resolved (fixed in 2.2.17-1)
sid: resolved (fixed in 2.2.17-1)
trixie: resolved (fixed in 2.2.17-1)
Microsoft
fs/ntfs3: Fixed overflow check in mi_enum_attr()
vendor_msrc·2024-05-14·CVSS 8.4
CVE-2024-27407 [HIGH] CWE-120 fs/ntfs3: Fixed overflow check in mi_enum_attr()
fs/ntfs3: Fixed overflow check in mi_enum_attr()
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
No detection rules found.
No public exploits indexed.
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedhttps://github.com/github-community-projects/graphql-clienthttps://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cdhttps://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238fhttps://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747behttps://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52cahttps://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bbhttps://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7chttps://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492https://lists.debian.org/debian-lts-announce/2025/08/msg00002.html
2025-03-12
Published