Skip to content

Commit cb566ac

Browse files
jasnowpostmodern
authored andcommitted
GHSA SYNC: 2 brand new advisories
1 parent 233c6ae commit cb566ac

File tree

2 files changed

+75
-0
lines changed

2 files changed

+75
-0
lines changed

gems/graphql/CVE-2025-27407.yml

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
gem: graphql
3+
cve: 2025-27407
4+
ghsa: q92j-grw3-h492
5+
url: https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
6+
title: graphql allows remote code execution when loading a crafted GraphQL schema
7+
date: 2025-03-12
8+
description: |
9+
Loading a malicious schema definition in
10+
`GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`)
11+
can result in remote code execution. Any system which loads a schema
12+
by JSON from an untrusted source is vulnerable, including those that
13+
use [GraphQL::Client](https://github.com/github-community-projects/graphql-client)
14+
to load external schemas via GraphQL introspection.
15+
cvss_v3: 9.1
16+
unaffected_versions:
17+
- "< 1.11.5"
18+
patched_versions:
19+
- "~> 1.11.11"
20+
- "~> 1.12.25"
21+
- "~> 1.13.24"
22+
- "~> 2.0.32"
23+
- "~> 2.1.15"
24+
- "~> 2.2.17"
25+
- "~> 2.3.21"
26+
- ">= 2.4.13"
27+
related:
28+
url:
29+
- https://nvd.nist.gov/vuln/detail/CVE-2025-27407
30+
- https://github.com/github-community-projects/graphql-client
31+
- https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
32+
- https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
33+
- https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
34+
- https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
35+
- https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
36+
- https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
37+
- https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
38+
- https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
39+
- https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
40+
- https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
41+
- https://github.com/advisories/GHSA-q92j-grw3-h492

gems/json/CVE-2025-27788.yml

+34
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
gem: json
3+
cve: 2025-27788
4+
ghsa: 9m3q-rhmv-5q44
5+
url: https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44
6+
title: Out-of-bounds Read in Ruby JSON Parser
7+
date: 2025-03-12
8+
description: |
9+
### Impact
10+
11+
A specially crafted document could cause an out of bound read,
12+
most likely resulting in a crash.
13+
14+
Versions 2.10.0 and 2.10.1 are impacted. Older versions are not.
15+
16+
### Patches
17+
18+
Version 2.10.2 fixes the problem.
19+
20+
### Workarounds
21+
22+
None.
23+
cvss_v3: 7.5
24+
unaffected_versions:
25+
- "< 2.10.0"
26+
patched_versions:
27+
- ">= 2.10.2"
28+
related:
29+
url:
30+
- https://nvd.nist.gov/vuln/detail/CVE-2025-27788
31+
- https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44
32+
- https://github.com/ruby/json/releases/tag/v2.10.2
33+
- https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf
34+
- https://github.com/advisories/GHSA-9m3q-rhmv-5q44

0 commit comments

Comments
 (0)