Remote Code Execution in GraphQL Ruby Versions Prior to Patched Releases
A remote code execution vulnerability exists in graphql-ruby, a Ruby implementation of GraphQL, affecting versions 1.11.5 and prior to 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21. The vulnerability occurs when loading a malicious schema definition using `GraphQL::Schema.from_introspection` or `GraphQL::Schema::Loader.load`. Systems that load GraphQL schemas via JSON from untrusted sources, including those using GraphQL::Client for external schema introspection, are at risk. The vulnerability allows potential remote code execution, and patched versions include 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, which address the security issue.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
rmosolgo graphql-ruby |
GitLab patches critical authentication bypass vulnerabilities By Bill Toulas March 13, 2025 12:13 PM 0 GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), fixing nine vulnerabilities, among which two critical severity ruby-saml library authentication bypass flaws. All flaws were addressed in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2, while all versions before those are vulnerable. GitLab.com is already patched, and GitLab Dedicated customers will...
Vulmon