CVE-2025-27407
Published: 12 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27407 is a remote code execution vulnerability in graphql-ruby, a Ruby implementation of GraphQL. It affects versions starting from 1.11.5 up to but not including 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21. The issue arises when loading a malicious schema definition via GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load, allowing arbitrary code execution during schema parsing from untrusted JSON sources. Systems using GraphQL::Client to load external schemas through GraphQL introspection are particularly at risk.
Attackers can exploit this vulnerability over the network without authentication or user interaction, though it requires high attack complexity, as indicated by its CVSS v3.1 score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Any unauthenticated remote actor capable of supplying a crafted JSON introspection response can trigger the flaw when the vulnerable application processes it, leading to full remote code execution with the privileges of the Ruby process. This is tied to CWE-94 (code injection).
Patches are available in graphql-ruby versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, with fixes implemented via specific commits in the project's repository. GitLab addressed the issue in its 17.9.2 patch release for affected integrations. Administrators should upgrade to these versions and avoid loading schemas from untrusted sources.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote code execution flaw in a GraphQL library exposed via web applications, directly enabling T1190 by allowing unauthenticated attackers to supply malicious introspection JSON leading to arbitrary code execution.