Arbitrary Code Injection Affecting graphql package, versions >=1.11.5, <1.11.11>=1.12.0, <1.12.25>=1.13.0, <1.13.24>=2.0.0, <2.0.32>=2.1.0, <2.1.15>=2.2.10, <2.2.17>=2.3.0, <2.3.21>=2.4.0, <2.4.13


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
4.68% (89th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-GRAPHQL-9403760
  • published13 Mar 2025
  • disclosed12 Mar 2025
  • credityvvdwf

Introduced: 12 Mar 2025

CVE-2025-27407  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade graphql to version 1.11.11, 1.12.25, 1.13.24, 2.0.32, 2.1.15, 2.2.17, 2.3.21, 2.4.13 or higher.

Overview

graphql is a plain-Ruby implementation of GraphQL.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load processes. An attacker can execute arbitrary code by loading a crafted GraphQL schema.

References

CVSS Base Scores

version 4.0
version 3.1