CVERadar

CVE-2025-27407

Medium Severity

SVRS

30/100

CVSSv3

NA/10

EPSS

0.04684/1

CVE-2025-27407 is a remote code execution vulnerability in the graphql-ruby gem. Loading a malicious schema definition via GraphQL::Schema.from_introspection can allow attackers to execute arbitrary code. With an SVRS of 30, while not critical, this vulnerability should be addressed to reduce potential risks.

This GraphQL vulnerability affects systems loading schemas from untrusted JSON sources, including those using GraphQL::Client for external schema introspection. If exploited, attackers could gain unauthorized access to the server and perform malicious actions. Upgrade to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, or 2.3.21, which contain the necessary patch to mitigate this security flaw. Though the CVSS score is 0, the possibility of remote code execution makes prompt patching important.

Description

CVE-2025-27407 is a critical remote code execution vulnerability affecting the graphql-ruby gem, a Ruby implementation of GraphQL. Specifically, loading a malicious schema definition using GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load from an untrusted source can lead to arbitrary code execution on the server. The SVRS score of 10 highlights the low risk because it does not necessitate immediate action; this is contrary to the CVSS score, which indicates a critical vulnerability. The vulnerability is actively exploited by hackers (In the Wild).

Key Insights

Remote Code Execution: The vulnerability allows attackers to execute arbitrary code on the affected server, potentially leading to complete system compromise. This is a severe risk because it can result in data breaches, service disruption, and other malicious activities.
Untrusted Schema Sources: Systems that load GraphQL schemas from untrusted sources (e.g., external schemas via GraphQL introspection using GraphQL::Client) are at high risk. Attackers can craft malicious schemas to exploit this vulnerability.
Active Exploitation: The vulnerability is actively exploited by hackers in the wild, making it a significant and immediate threat.
Dependency Issue: This issue affects systems that depend on the vulnerable versions of the graphql-ruby gem. Organizations should meticulously audit their dependencies to identify and remediate this flaw.

Mitigation Strategies

Immediate Patching/Upgrading: Upgrade to the patched versions of the graphql-ruby gem (1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21) as soon as possible. This is the most effective way to mitigate the vulnerability.
Schema Validation and Sanitization: Implement strict validation and sanitization measures for GraphQL schemas loaded from external or untrusted sources. Ensure schemas conform to expected structures and do not contain malicious code or directives.
Restrict Schema Loading: Limit the sources from which GraphQL schemas can be loaded. Avoid loading schemas from untrusted or external sources whenever possible. If external schemas are necessary, implement robust security controls and monitoring.
Web Application Firewall (WAF) Rules: Deploy or update Web Application Firewall (WAF) rules to detect and block malicious GraphQL requests that attempt to exploit this vulnerability. This provides an additional layer of defense.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7

Kevin Morrison2025-05-01

GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7 | Today we are releasing versions 17.9.2, 17.8.5, 17.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action and will be notified once their instance has been patched

gitlab.com

rss

forum

news

⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More

Ajit Jasrotia2025-03-17

⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More | From sophisticated nation-state campaigns to stealthy malware lurking in unexpected places, this week’s cybersecurity landscape is a reminder that attackers are always evolving. Advanced threat groups are exploiting outdated hardware, abusing legitimate tools for financial fraud, and finding new ways to bypass security defenses. Meanwhile, supply chain threats are on the rise, with open-source repositories […] The post ⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor

allhackernews.com

rss

forum

news

GitLab addressed critical auth bypass flaws in CE and EE

Pierluigi Paganini2025-03-13

GitLab addressed critical auth bypass flaws in CE and EE | GitLab addressed two critical authentication bypass vulnerabilities in Community Edition (CE) and Enterprise Edition (EE). GitLab released security updates to address critical vulnerabilities in Community Edition (CE) and Enterprise Edition (EE). The company addressed nine vulnerabilities, including the two critical ruby-saml authentication bypass issues respectively tracked as CVE-2025-25291 and CVE-2025-25292. GitLab CE/EE versions 17.7.7, 17.8.5, […] GitLab addressed two critical

securityaffairs.co

rss

forum

news

GitLab Warns of Multiple Vulnerabilities Let Attackers Login as Valid User

Kaaviya2025-03-13

GitLab Warns of Multiple Vulnerabilities Let Attackers Login as Valid User | GitLab has released critical security patches for multiple vulnerabilities that could potentially allow attackers to authenticate as legitimate users or even execute remote code under specific circumstances.  The company has urged all self-managed GitLab installations to immediately upgrade to versions 17.9.2, 17.8.5, or 17.7.7 for both Community Edition (CE) and Enterprise Edition (EE) to address […] The post GitLab Warns of Multiple Vulnerabilities Let Attackers Login as Valid User</a

cybersecuritynews.com

rss

forum

news

CVE-2025-27407 | rmosolgo graphql-ruby up to 2.3.20 Loader.load code injection (GHSA-q92j-grw3-h492)

vuldb.com2025-03-13

CVE-2025-27407 | rmosolgo graphql-ruby up to 2.3.20 Loader.load code injection (GHSA-q92j-grw3-h492) | A vulnerability was found in rmosolgo graphql-ruby up to 2.3.20. It has been declared as critical. This vulnerability affects the function GraphQL::Schema::Loader.load. The manipulation leads to code injection. This vulnerability was named CVE-2025-27407. The attack can be initiated remotely. There is no exploit

vuldb.com

rss

forum

news

Social Media

Grok

@grok

2025-03-20

@Shubhamkhanna06 The latest GraphQL-related CVE is CVE-2025-27407, a critical flaw in the GraphQL gem for Ruby allowing remote code execution. Published in early 2025, it has a CVSS score of 9.1 and affects versions before 1.11.11, 1.12.25, 1.13.24, 2.0.32, 2.1.15, 2.2.17, 2.3.21, and 2.4.13.

Cybersecurity News Everyday

@TweetThreatNews

2025-03-18

A critical vulnerability (CVE-2025-27407) in the graphql-ruby gem exposes millions to remote code execution risks. Developers must upgrade to patched versions to safeguard their applications. ⚠️ #RCE #GraphQL #USA link: https://t.co/UnS5Qca9MP https://t.co/nXRRzDjp5n

CCB Alert

@CCBalert

2025-03-17

Warning: Critical and high severity #vulnerabilities #CVE-2025-27407 CVSS 9.0, #CVE-2025-25291 and #CVE-2025-25292 CVSS 8.8 in #GitLab's Community and Enterprise Editions could lead to #RCE and #AuthenticationBypass. Check https://t.co/DBClmyDfk2 and #Patch #Patch #Patch

Adrian Anglin

@adriananglin

2025-03-17

CVE-2025-27407 (CVSS 9.1): Critical GraphQL-Ruby Flaw Exposes Millions to RCE A severe remote code execution vulnerability in GraphQL-Ruby puts countless applications at risk of compromise. https://t.co/khPJhOGQUl #Cybersecurity #RCE #GraphQL

Nicolas Krassas

@Dinosn

2025-03-17

CVE-2025-27407 (CVSS 9.1): Critical GraphQL-Ruby Flaw Exposes Millions to RCE https://t.co/wJH4l04HHq

Gray Hats

@the_yellow_fall

2025-03-17

CVE-2025-27407 (CVSS 9.1): Critical #GraphQL-Ruby Flaw Exposes Millions to RCE Learn about CVE-2025-27407, a critical vulnerability in graphql-ruby that poses serious risks to applications using it. https://t.co/5vpwAUZ1TA

RUBYLAND

@rubylandnews

2025-03-13

RubySec ➜ CVE-2025-27407 (graphql): graphql allows remote code execution when loading a crafted GraphQL schema https://t.co/s1X1L4HnQT

Affected Software

No affected software found for this CVE

References

Reference	Link
[email protected]	https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
[email protected]	https://github.com/github-community-projects/graphql-client
[email protected]	https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
[email protected]	https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
[email protected]	https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
[email protected]	https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
[email protected]	https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
[email protected]	https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
[email protected]	https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
[email protected]	https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
HTTPS://GITHUB.COM/GITHUB-COMMUNITY-PROJECTS/GRAPHQL-CLIENT	https://github.com/github-community-projects/graphql-client
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/28233B16C0EB9D0FB7808F4980E061DC7507C4CD	https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/2D2F4ED1F79472F8EED29C864B039649E1DE238F	https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/5C5A7B9A9BDCE143BE048074AEA50EDB7BB747BE	https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/6ECA16B9FA553AA957099A30DBDE64DDCDAC52CA	https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/D0963289E0DAB4EA893BBECF12BB7D89294957BB	https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/D1117AE0361D9ED67E0795B07F5C3E98E62F3C7C	https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/E3B33ACE05391DA2871C75AB4D3B66E29133B367	https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/SECURITY/ADVISORIES/GHSA-Q92J-GRW3-H492	https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
HTTPS://ABOUT.GITLAB.COM/RELEASES/2025/03/12/PATCH-RELEASE-GITLAB-17-9-2-RELEASED	https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
HTTPS://GITHUB.COM/GITHUB-COMMUNITY-PROJECTS/GRAPHQL-CLIENT	https://github.com/github-community-projects/graphql-client
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/28233B16C0EB9D0FB7808F4980E061DC7507C4CD	https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/2D2F4ED1F79472F8EED29C864B039649E1DE238F	https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/5C5A7B9A9BDCE143BE048074AEA50EDB7BB747BE	https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/6ECA16B9FA553AA957099A30DBDE64DDCDAC52CA	https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/D0963289E0DAB4EA893BBECF12BB7D89294957BB	https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/D1117AE0361D9ED67E0795B07F5C3E98E62F3C7C	https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/COMMIT/E3B33ACE05391DA2871C75AB4D3B66E29133B367	https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
HTTPS://GITHUB.COM/RMOSOLGO/GRAPHQL-RUBY/SECURITY/ADVISORIES/GHSA-Q92J-GRW3-H492	https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492

CWE Details

CWE ID	CWE Name	Description
CWE-94	Improper Control of Generation of Code ('Code Injection')	The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence