Simonrand

**Name of the Vulnerable Software and Affected Versions** Graphiti versions prior to 1.10.2 **Description** Graphiti is a framework that exposes models through a JSON:API-compliant interface. Versions prior to 1.10.2 contain a flaw where an attacker can construct a malicious JSONAPI payload with arbitrary relationship names. This allows invocation of any public method on the underlying model instance, class, or its associations. The `Graphiti::Util::ValidationResponse#all valid?` method calls `model.send(name)` with relationship names directly from user-supplied JSONAPI payloads without validation against configured sideloads. This can lead to the execution of any public method on a model instance, its class, or associated instances, potentially including destructive operations. Applications exposing Graphiti write endpoints (create/update/delete) to untrusted users are susceptible. **Recommendations** Upgrade to Graphiti version 1.10.2 or later. Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users. Apply strong authentication and authorization checks before any write operation is processed. Use Rails strong parameters to ensure only valid parameters are processed.