1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1100442: ruby-graphql: CVE-2025-27407

    From Salvatore Bonaccorso@21:1/5 to All on Thu Mar 13 23:10:02 2025
    Source: ruby-graphql
    Version: 2.2.5-3
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for ruby-graphql.

    CVE-2025-27407[0]:
    | graphql-ruby is a Ruby implementation of GraphQL. Starting in
    | version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24,
    | 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema
    | definition in `GraphQL::Schema.from_introspection` (or
    | `GraphQL::Schema::Loader.load`) can result in remote code execution.
    | Any system which loads a schema by JSON from an untrusted source is
    | vulnerable, including those that use GraphQL::Client to load
    | external schemas via GraphQL introspection. Versions 1.11.8,
    | 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch
    | for the issue.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-27407
    https://www.cve.org/CVERecord?id=CVE-2025-27407
    [1] https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Mon Apr 7 01:00:02 2025
    This is a multi-part message in MIME format...

    Your message dated Sun, 06 Apr 2025 22:52:24 +0000
    with message-id <E1u1Yqm-00FnrW-94@fasolo.debian.org>
    and subject line Bug#1100442: fixed in ruby-graphql 2.2.17-1
    has caused the Debian Bug report #1100442,
    regarding ruby-graphql: CVE-2025-27407
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1100442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100442
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 13 Mar 2025 21:57:56 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-8.5 required=4.0 tests=BAYES_00,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_EF,DRUGSPAM3,FOURLA,FREEMAIL_FORGED_FROMDOMAIN,
    FREEMAIL_FROM,FROMDEVELOPER,HEADER_FROM_DIFFERENT_DOMAINS,
    RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,XMAILER_REPORTBUG
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 61; hammy, 150; neutral, 67; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug,
    0.000-+--H*MI:reportbug
    Return-path: <salvatore.bonaccorso@gmail.com>
    Received: from mail-ej1-x62b.google.com ([2a00:1450:4864:20::