Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN139 _____________________________________________________________________ DATE : 14/03/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running graphql versions prior to 1.11.11, 1.12.25, 1.13.24, 2.0.32, 2.1.15, 2.2.17, 2.3.21, 2.4.13. ===================================================================== https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492 _____________________________________________________________________ Remote code execution when loading a crafted GraphQL schema Critical rmosolgo published GHSA-q92j-grw3-h492 Mar 12, 2025 Package graphql (RubyGems) Affected versions > 1.11.5 Patched versions 1.11.11, 1.12.25, 1.13.24, 2.0.32, 2.1.15, 2.2.17, 2.3.21, 2.4.13 Description Summary Loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Severity Critical 9.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2025-27407 Weaknesses CWE-94 Credits @yvvdwf yvvdwf Reporter @rmosolgo rmosolgo Remediation developer @joernchen joernchen Remediation reviewer @adarshan-gl adarshan-gl Remediation reviewer ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================