GHSA-q92j-grw3-h492

Source

https://github.com/advisories/GHSA-q92j-grw3-h492

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-q92j-grw3-h492/GHSA-q92j-grw3-h492.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q92j-grw3-h492

Aliases

CVE-2025-27407

Published

2025-03-12T19:28:00Z

Modified

2025-03-14T20:33:54.234559Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

graphql allows remote code execution when loading a crafted GraphQL schema

Details

Summary

Loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection.

Database specific

{
    "nvd_published_at": "2025-03-12T19:15:40Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-12T19:28:00Z"
}

References

Affected packages

RubyGems / graphql

Package

Name: graphql
Purl: pkg:gem/graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.4.13

Affected versions

2.*

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.11

2.4.12

RubyGems / graphql

Package

Name: graphql
Purl: pkg:gem/graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.21

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.3.11

2.3.12

2.3.13

2.3.14

2.3.15

2.3.16

2.3.17

2.3.18

2.3.19

2.3.20

RubyGems / graphql

Package

Name: graphql
Purl: pkg:gem/graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.10

Fixed

2.2.17

Affected versions

2.*

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

RubyGems / graphql

Package

Name: graphql
Purl: pkg:gem/graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.15

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

RubyGems / graphql

Package

Name: graphql
Purl: pkg:gem/graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.32

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.17.1

2.0.17.2

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.30

2.0.31

RubyGems / graphql

Package

Name: graphql
Purl: pkg:gem/graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.13.0

Fixed

1.13.24

Affected versions

1.*

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

1.13.7

1.13.8

1.13.9

1.13.10

1.13.11

1.13.12

1.13.13

1.13.14

1.13.15

1.13.16

1.13.17

1.13.18

1.13.19

1.13.20

1.13.21

1.13.22

1.13.23

RubyGems / graphql

Package

Name: graphql
Purl: pkg:gem/graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.12.0

Fixed

1.12.25

Affected versions

1.*

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.12.7

1.12.8

1.12.9

1.12.10

1.12.11

1.12.12

1.12.13

1.12.14

1.12.15

1.12.16

1.12.17

1.12.18

1.12.19

1.12.20

1.12.21

1.12.22

1.12.23

1.12.24

RubyGems / graphql

Package

Name: graphql
Purl: pkg:gem/graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.11.5

Fixed

1.11.11

Affected versions

1.*

1.11.5

1.11.6

1.11.7

1.11.8

1.11.9

1.11.10