A severe vulnerability, tracked as CVE-2025-27407, has been discovered in the popular graphql-ruby gem, putting millions of applications at risk of remote code execution. With over 136 million downloads, this library’s widespread use means the potential impact is significant.
The vulnerability, having a critical CVSS score of 9.1, stems from the way the graphql-ruby gem handles schema loading via GraphQL::Schema.from_introspection and GraphQL::Schema::Loader.load. Specifically, maliciously crafted GraphQL schema definitions can trigger remote code execution when loaded. This flaw is particularly concerning for applications that ingest schemas from untrusted sources, including those leveraging GraphQL::Client to fetch external schemas through GraphQL introspection.
This is a serious issue that demands immediate attention. Any system that loads GraphQL schemas from external sources without stringent validation is potentially vulnerable. Attackers could exploit this to gain full control of affected servers.
The implications are far-reaching. Applications utilizing the affected versions could be compromised by simply processing a carefully crafted GraphQL schema. This could lead to data breaches, system disruption, and other malicious activities.
The vulnerability affects all versions of graphql-ruby prior to the following patched releases:
- 1.11.11
- 1.12.25
- 1.13.24
- 2.0.32
- 2.1.15
- 2.2.17
- 2.3.21
- 2.4.13
Developers using the graphql-ruby gem are strongly advised to immediately upgrade to one of the patched versions. Given the critical nature of the vulnerability, delaying the update is highly discouraged.
