CVE-2025-27407
9.15.86%
Schema to Shell: The GraphQL-Ruby Introspection Nightmare
Amit Schendel
Senior Security ResearcherJan 12, 2026·7 min read·8 visits
PoC Available
Executive Summary (TL;DR)
If your Ruby application loads GraphQL schemas from untrusted sources (like user uploads or external endpoints), you are likely vulnerable to RCE. The `graphql-ruby` gem was building code strings from schema names without validation. Update to the latest patch versions immediately.
A critical RCE in the popular `graphql-ruby` gem allows attackers to achieve remote code execution by providing malicious introspection data. By leveraging unsafe metaprogramming, specifically string-based `class_eval`, an attacker can inject arbitrary Ruby code during schema reconstruction.
Fix Analysis (1)
Technical Appendix
CVSS Score
9.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HEPSS Probability
5.86%
Top 10% most exploited
Affected Systems
graphql-ruby gem < 2.4.13GitLab < 17.9.2Applications using GraphQL::Client with untrusted endpointsAny Ruby app loading introspection data via `from_introspection`
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
graphql-ruby Robert Mosolgo | < 2.4.13 | 2.4.13 |
graphql-ruby Robert Mosolgo | < 2.3.21 | 2.3.21 |
GitLab Community/Enterprise GitLab | 17.7.0 - 17.7.6 | 17.7.7 |
GitLab Community/Enterprise GitLab | 17.8.0 - 17.8.4 | 17.8.5 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-94 (Code Injection) |
| CVSS v3.1 | 9.1 (Critical) |
| Attack Vector | Network (Introspection Loading) |
| EPSS Score | 5.86% (High Probability) |
| Impact | Remote Code Execution (RCE) |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
CWE-94
Code Injection
Improper Control of Generation of Code ('Code Injection')
Known Exploits & Detection
Vulnerability Timeline
Vulnerability Disclosed & Patched
2025-03-12
GitLab Releases Fix (17.9.2)
2025-03-12
Public Analysis & PoCs emerge
2025-03-13
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.