CVE-2025-27407

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-27407
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27407.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27407
Aliases
Downstream
Published
2025-03-12T18:15:57Z
Modified
2025-10-30T19:44:22.001455Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Remote code execution when loading a crafted GraphQL schema
Details

graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/rmosolgo/graphql-ruby

Affected ranges

Type
GIT
Repo
https://github.com/rmosolgo/graphql-ruby
Events
Introduced
bc699e57f7583ec4c5ed4bddae2b5f870b5b76d0
Fixed
9069ba310846dea7636dd24ca0c743eccf4beb3d
Database specific 
{
    "versions": [
        {
            "introduced": "1.11.5"
        },
        {
            "fixed": "1.11.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/rmosolgo/graphql-ruby
Events
Introduced
a9a7373a1fbf91cbcc10a1385cc4cf8c2af8254d
Fixed
e5e8e3b04a13389e876fb153e8e72d4434de1513
Database specific 
{
    "versions": [
        {
            "introduced": "1.12.0"
        },
        {
            "fixed": "1.12.25"
        }
    ]
}
Type
GIT
Repo
https://github.com/rmosolgo/graphql-ruby
Events
Introduced
ec0611acdadf39243ac680a0224550a09d0fc043
Fixed
887193770b8d0e6a0d3f15b58addc495c998e413
Database specific 
{
    "versions": [
        {
            "introduced": "1.13.0"
        },
        {
            "fixed": "1.13.24"
        }
    ]
}
Type
GIT
Repo
https://github.com/rmosolgo/graphql-ruby
Events
Introduced
134e04cc93a580445a01178d69edc49e8aba0eeb
Fixed
5f74806f72f86d9245d0719477a4de7abf5eb076
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.32"
        }
    ]
}
Type
GIT
Repo
https://github.com/rmosolgo/graphql-ruby
Events
Introduced
7565aa84a88f2fa2bfdabb1c43b9221ddd9e431f
Fixed
a1e3f51f17adb62f8a6fc4b6d542f25a354f9719
Database specific 
{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.1.14"
        }
    ]
}
Type
GIT
Repo
https://github.com/rmosolgo/graphql-ruby
Events
Introduced
8270480f4264ab31ae84dc225937cbd03e2a4843
Fixed
efbbdae81c7a18fc13424a7aae60c52c312f38c5
Database specific 
{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.17"
        }
    ]
}
Type
GIT
Repo
https://github.com/rmosolgo/graphql-ruby
Events
Introduced
c9a86dc4b9b3224f54fd17fa69194ece5e54dd46
Fixed
f20c5c3c83761ebe2ce084f3a693ad4a03d5682d
Database specific 
{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.3.21"
        }
    ]
}

Affected versions

graphql-c_parser-v1.*

graphql-c_parser-v1.0.2
graphql-c_parser-v1.0.3
graphql-c_parser-v1.0.4
graphql-c_parser-v1.0.5
graphql-c_parser-v1.0.6
graphql-c_parser-v1.0.7
graphql-c_parser-v1.0.8
graphql-c_parser-v1.1.0
graphql-c_parser-v1.1.1

v1.*

v1.0.1
v1.11.5
v1.11.6
v1.11.7
v1.12.0
v1.12.1
v1.12.10
v1.12.11
v1.12.12
v1.12.13
v1.12.14
v1.12.15
v1.12.16
v1.12.17
v1.12.18
v1.12.19
v1.12.2
v1.12.20
v1.12.21
v1.12.22
v1.12.23
v1.12.24
v1.12.3
v1.12.4
v1.12.5
v1.12.6
v1.12.7
v1.12.8
v1.12.9
v1.13.0
v1.13.1
v1.13.10
v1.13.11
v1.13.12
v1.13.13
v1.13.14
v1.13.15
v1.13.16
v1.13.17
v1.13.18
v1.13.19
v1.13.2
v1.13.20
v1.13.21
v1.13.22
v1.13.23
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.13.7
v1.13.8
v1.13.9

v2.*

v2.0.0
v2.0.1
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.25
v2.0.26
v2.0.27
v2.0.28
v2.0.29
v2.0.3
v2.0.30
v2.0.31
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9