{
  "threat_severity" : "Important",
  "public_date" : "2025-03-12T18:15:57Z",
  "bugzilla" : {
    "description" : "graphql-ruby: Remote code execution when loading a crafted GraphQL schema",
    "id" : "2351767",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2351767"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.", "A flaw was found in graphql-ruby. In affected versions of graphq-ruby, loading a malicious schema definition in the `GraphQL::Schema.from_introspection` or the `GraphQL::Schema::Loader.load` can cause remote code execution. Any system that loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection." ],
  "statement" : "This vulnerability is marked as Important rather than Critical because interaction with the vulnerable GraphQL library is restricted to only authenticated users in Red Hat Satellite. Satellite does not dynamically load schemas from external sources, further reducing the feasibility of exploitation.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.14 for RHEL 8",
    "release_date" : "2025-04-01T00:00:00Z",
    "advisory" : "RHSA-2025:3492",
    "cpe" : "cpe:/a:redhat:satellite:6.14::el8",
    "package" : "rubygem-graphql-0:1.13.24-1.el8sat",
    "impact" : "important"
  }, {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2025-04-01T00:00:00Z",
    "advisory" : "RHSA-2025:3491",
    "cpe" : "cpe:/a:redhat:satellite:6.15::el8",
    "package" : "rubygem-graphql-0:1.13.24-1.el8sat",
    "impact" : "important"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2025-04-01T00:00:00Z",
    "advisory" : "RHSA-2025:3490",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el8",
    "package" : "rubygem-graphql-0:1.13.24-1.el8sat",
    "impact" : "important"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2025-04-01T00:00:00Z",
    "advisory" : "RHSA-2025:3490",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el9",
    "package" : "rubygem-graphql-0:1.13.24-1.el9sat",
    "impact" : "important"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2025-05-06T00:00:00Z",
    "advisory" : "RHSA-2025:4576",
    "cpe" : "cpe:/a:redhat:satellite:6.17::el9",
    "package" : "rubygem-graphql-0:1.13.24-1.el9sat",
    "impact" : "important"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-27407\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27407\nhttps://github.com/github-community-projects/graphql-client\nhttps://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd\nhttps://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f\nhttps://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be\nhttps://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca\nhttps://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb\nhttps://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c\nhttps://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367\nhttps://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492" ],
  "name" : "CVE-2025-27407",
  "mitigation" : {
    "value" : "A successful exploitation of this flaw requires GraphQL schema loading. Limiting the schema loading to trusted or authenticated users will limit the impact of the vulnerability. Coupling that with a strict input validation for all GraphQL schema being loaded would reduce the risk of a successful attack and cover as a possible mitigation strategy for this vulnerability.",
    "lang" : "en:us"
  },
  "csaw" : false
}