CVE-2025-27407

Name of the Vulnerable Software and Affected Versions graphql-ruby versions 1.11.5 through 1.11.7 graphql-ruby versions 1.12.0 through 1.12.24 graphql-ruby versions 1.13.0 through 1.13.23 graphql-ruby versions 2.0.0 through 2.0.31 graphql-ruby versions 2.1.0 through 2.1.13 graphql-ruby versions 2.2.0 through 2.2.16 graphql-ruby versions 2.3.0 through 2.3.20

Description The issue allows remote code execution when loading a crafted GraphQL schema. Any system that loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. The vulnerability is related to the GraphQL::Schema.from introspection and GraphQL::Schema::Loader.load functions.

Recommendations For versions 1.11.5 through 1.11.7, update to version 1.11.8 or later. For versions 1.12.0 through 1.12.24, update to version 1.12.25 or later. For versions 1.13.0 through 1.13.23, update to version 1.13.24 or later. For versions 2.0.0 through 2.0.31, update to version 2.0.32 or later. For versions 2.1.0 through 2.1.13, update to version 2.1.14 or later. For versions 2.2.0 through 2.2.16, update to version 2.2.17 or later. For versions 2.3.0 through 2.3.20, update to version 2.3.21 or later. As a temporary workaround, consider restricting access to the GraphQL::Schema.from introspection and GraphQL::Schema::Loader.load functions to minimize the risk of exploitation.