CVE-2025-27407

Remote code execution when loading a crafted GraphQL schema

CVSS 9.1 CRITICALEPSS 2.9%CWE-94

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.1EPSS 2.9%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

12 Mar 2025Published on NVD

25 Apr 2026Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

rmosolgo · graphql-ruby

public PoCs found — 1

githubgithub.com/LoGGGG2402/CVE-2025-27407★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References