CVE-2025-27407: Inside the Critical GraphQL-Ruby RCE Vulnerability
How a popular Ruby gem exposed thousands of applications to remote code execution. A technical analysis of the vulnerability that affected major platforms worldwide.
In the interconnected ecosystem of modern web applications, security often extends beyond our own code to the third-party dependencies we integrate into our systems. Recently, a severe Remote Code Execution (RCE) vulnerability was discovered in GraphQL-Ruby, a popular library used by thousands of Ruby applications worldwide for implementing GraphQL APIs.
GraphQL-Ruby has become the go-to solution for Ruby developers working with GraphQL. Its widespread adoption means this vulnerability potentially impacts numerous high-profile applications, including major platforms like GitLab.
The vulnerability, tracked as GHSA-q92j-grw3-h492, presents significant security implications for affected systems. After encountering this issue during a recent client engagement, our security research team conducted an in-depth analysis to understand its inner workings and exploitation vectors.
In this technical deep-dive, we'll walk through:
· The core mechanics of the vulnerability
· How attackers could potentially exploit it
· Which versions and configurations are vulnerable
· Practical mitigation strategies to protect your systems
Whether you're a developer using GraphQL-Ruby, a security professional assessing risks, or simply interested in understanding how this vulnerability works, this analysis provides a comprehensive examination of one of the most significant Ruby library security issues in recent months.
The Vulnerability
We’re not dropping the full deep-dive just yet. We’d rather give it a few days so everyone has time to read this and check their own systems. For now, we’re just sharing the key point of the vulnerability - the juicy part.
The summary served its purpose well.
The vulnerability appears if we call GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load). In fact, these 2 methods are the same, because GraphQL::Schema.from_introspection will call GraphQL::Schema::Loader.load
While digging into the patch, we noticed they swapped out all eval-based classes with exec alternatives. For those who haven’t messed with Ruby before, eval is like its PHP cousin — it can execute arbitrary Ruby code, which opens the door to Remote Code Execution (RCE) if misused.
For our PoC, we went with version 2.4.12. Some of the other minor versions mentioned in the advisory behave a bit differently — and honestly, not all of them seem vulnerable. If you're planning to experiment with this bug, we recommend sticking with 2.4.12 like we did.
In the input_object file, the dev team removed the class_eval call and replaced it with a plain method. This change stops user input from getting injected into runtime execution , effectively closing the door on this particular attack path.
We can make a simple vulnerable app by using GraphQL::Schema.from_introspection(JSON.parse(params[:graphql])).
In this function, firstly it loaded the JSON input, checked if the type name started with __ or not, and then went to the define_type function
This function took the kind of object
and called build_argument based on the object kind. The build_argument function called the argument function of this object
As we mentioned, we need to go through the input_object file, so we need to set the object kind to become INPUT_OBJECT.
The argument function of the input_object will reach the vulnerable spot.
The last piece of the exploitation is making the class_eval function run our arbitrary command. The problem is that the class_eval will require you to make a valid class/method before it can be called. As a consequence, we need to break and validate it twice, which we often do in XSS exploits.
The POC
The full proof-of-concept will be released after some days, including the nuclei template.
Affected Versions
The vulnerability affects multiple version ranges of the GraphQL gem:
Version 2.4.x: All versions from 2.4.0 up to (but not including) 2.4.13
Version 2.3.x: All versions from 2.3.0 up to (but not including) 2.3.21
Version 2.0.x: All versions from 2.0.0 up to (but not including) 2.0.32
Version 1.13.x: All versions from 1.13.0 up to (but not including) 1.13.24
Version 1.12.x: All versions from 1.12.0 up to (but not including) 1.12.25
Version 2.1.x: All versions from 2.1.0 up to (but not including) 2.1.15
Version 1.11.x: All versions from 1.11.5 up to (but not including) 1.11.11
Version 2.2.x: All versions from 2.2.0 up to (but not including) 2.2.17
Patched Versions
The security fix has been implemented in these specific versions:
2.4.13, 2.3.21, 2.0.32, 1.13.24, 1.12.25, 2.1.15, 1.11.11, 2.2.17
Mitigation
The most effective mitigation for this vulnerability is to update your GraphQL-Ruby gem to a patched version immediately. The GraphQL-Ruby maintainers have released security fixes across multiple version lines, ensuring that users can update without requiring major version upgrades