Vulnerability DatabaseCVE-2025-27407
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-27407
Published:March 12, 2025
Updated:May 17, 2026
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in "GraphQL::Schema.from_introspection" (or "GraphQL::Schema::Loader.load") can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.
Affected Packages
graphql (RUBY):
Affected version(s) >=2.2.0 <2.2.17
Fix Suggestion:
Update to version 2.2.17
graphql (RUBY):
Affected version(s) >=1.13.0 <1.13.24
Fix Suggestion:
Update to version 1.13.24
graphql (RUBY):
Affected version(s) >=1.12.0 <1.12.25
Fix Suggestion:
Update to version 1.12.25
graphql (RUBY):
Affected version(s) >=1.11.5 <1.11.11
Fix Suggestion:
Update to version 1.11.11
graphql (RUBY):
Affected version(s) >=2.1.0 <2.1.15
Fix Suggestion:
Update to version 2.1.15
graphql (RUBY):
Affected version(s) >=2.3.0 <2.3.21
Fix Suggestion:
Update to version 2.3.21
graphql (RUBY):
Affected version(s) >=2.4.0 <2.4.13
Fix Suggestion:
Update to version 2.4.13
graphql (RUBY):
Affected version(s) >=2.0.0 <2.0.32
Fix Suggestion:
Update to version 2.0.32
Related Resources (14)
https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
https://github.com/github-community-projects/graphql-client
https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphql/CVE-2025-27407.yml
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
https://github.com/rmosolgo/graphql-ruby
https://nvd.nist.gov/vuln/detail/CVE-2025-27407
https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Control of Generation of Code ('Code Injection')
CWE-94
EPSS
Base Score:
1.36