Cyber Resilience

CVE-2025-27407

CriticalRCE

Published: 12 March 2025

Published
12 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0136 80.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27407 is a critical-severity Code Injection (CWE-94) vulnerability in Gitlab (inferred from references). Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

graphql-ruby, a Ruby implementation of GraphQL, contains a code injection vulnerability (CWE-94) in the schema loading path. Starting with version 1.11.5, the methods GraphQL::Schema.from_introspection and GraphQL::Schema::Loader.load deserialize untrusted JSON schema definitions without sufficient validation, allowing remote code execution. The flaw affects any application that loads schemas from external or untrusted sources, including those using the GraphQL::Client library to perform introspection against remote endpoints. Patched releases are 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21.

An attacker who can supply a malicious schema JSON—either directly or by controlling an introspection endpoint—can achieve arbitrary code execution on the target system. The attack requires no authentication or user interaction and carries a CVSS 3.1 score of 9.0, reflecting its high impact on confidentiality, integrity, and availability when the vulnerable component is reachable over the network.

Public references indicate that mitigation consists of upgrading to one of the listed patched versions. The GitLab 17.9.2 release notes and the graphql-ruby repository commits (28233b16, 2d2f4ed1, 5c5a7b9a) document the fixes applied to the affected schema-loading code.

EPSS for the CVE rose from a low baseline to a peak of 0.0586 on 2026-01-13 before receding to the current value of 0.0136, indicating a measurable increase in exploitation interest after disclosure. No confirmed in-the-wild exploitation is referenced in the provided sources.

EU & UK References

Vulnerability details

graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system…

more

which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote code execution flaw in a GraphQL library exposed via web applications, directly enabling T1190 by allowing unauthenticated attackers to supply malicious introspection JSON leading to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

Gitlab
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the RCE vulnerability by requiring timely application of patches to affected graphql-ruby versions, eliminating the code injection flaw during schema loading.

prevent

Requires validation of untrusted JSON schema inputs from introspection to reject malicious definitions that trigger arbitrary code execution.

prevent

Restricts or prohibits the risky functionality of loading external GraphQL schemas via introspection from untrusted sources, reducing exposure to crafted malicious inputs.

References