Vulnerable Library - graphql-2.2.17.gem
A plain-Ruby implementation of GraphQL.
Library home page: https://rubygems.org/gems/graphql-2.2.17.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/graphql-2.2.17.gem
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (graphql version) |
Remediation Possible** |
| CVE-2025-27407 |
 Critical |
9.0 |
graphql-2.2.17.gem |
Direct |
graphql - 2.4.13,graphql - 2.2.17,graphql - 1.13.24,graphql - 1.12.25,graphql - 2.3.21,graphql - 2.0.32,graphql - 1.11.11,graphql - 2.1.15 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-27407
Vulnerable Library - graphql-2.2.17.gem
A plain-Ruby implementation of GraphQL.
Library home page: https://rubygems.org/gems/graphql-2.2.17.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/graphql-2.2.17.gem
Dependency Hierarchy:
- ❌ graphql-2.2.17.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in "GraphQL::Schema.from_introspection" (or "GraphQL::Schema::Loader.load") can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.
Publish Date: 2025-03-12
URL: CVE-2025-27407
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q92j-grw3-h492
Release Date: 2025-03-12
Fix Resolution: graphql - 2.4.13,graphql - 2.2.17,graphql - 1.13.24,graphql - 1.12.25,graphql - 2.3.21,graphql - 2.0.32,graphql - 1.11.11,graphql - 2.1.15
Step up your Open Source Security Game with Mend here
A plain-Ruby implementation of GraphQL.
Library home page: https://rubygems.org/gems/graphql-2.2.17.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/graphql-2.2.17.gem
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - graphql-2.2.17.gem
A plain-Ruby implementation of GraphQL.
Library home page: https://rubygems.org/gems/graphql-2.2.17.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/graphql-2.2.17.gem
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in "GraphQL::Schema.from_introspection" (or "GraphQL::Schema::Loader.load") can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.
Publish Date: 2025-03-12
URL: CVE-2025-27407
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q92j-grw3-h492
Release Date: 2025-03-12
Fix Resolution: graphql - 2.4.13,graphql - 2.2.17,graphql - 1.13.24,graphql - 1.12.25,graphql - 2.3.21,graphql - 2.0.32,graphql - 1.11.11,graphql - 2.1.15
Step up your Open Source Security Game with Mend here