VulnerableCode Package Details - pkg:gem/graphql@2.3.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-hjcr-1st5-v3dg Aliases: CVE-2025-27407 GHSA-q92j-grw3-h492	graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.	2.3.21 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.4.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-u1pb-z884-8fby Aliases: GHSA-3h96-34p3-xm76	GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens GraphQL-Ruby's `max_query_string_tokens` configuration didn't count comment tokens against the limit, allowing strings to be processed even after the configured maximum had actually been reached. In patched versions, the Ruby lexer does count these tokens. GraphQL-CParser is not affected by this problem. `max_query_string_tokens` was introduced in v2.3.1. Each 2.x version has received a new patch release for including a fix.	2.3.23 Affected by 0 other vulnerabilities. 2.4.18 Affected by 0 other vulnerabilities. 2.5.26 Affected by 0 other vulnerabilities. 2.6.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-hjcr-1st5-v3dg
Aliases:
CVE-2025-27407
GHSA-q92j-grw3-h492

graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.

2.3.21
Affected by 1 other vulnerability.

2.4.13
Affected by 1 other vulnerability.

VCID-u1pb-z884-8fby
Aliases:
GHSA-3h96-34p3-xm76

GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens GraphQL-Ruby's `max_query_string_tokens` configuration didn't count comment tokens against the limit, allowing strings to be processed even after the configured maximum had actually been reached. In patched versions, the Ruby lexer does count these tokens. GraphQL-CParser is not affected by this problem. `max_query_string_tokens` was introduced in v2.3.1. Each 2.x version has received a new patch release for including a fix.

2.3.23
Affected by 0 other vulnerabilities.

2.4.18
Affected by 0 other vulnerabilities.

2.5.26
Affected by 0 other vulnerabilities.

2.6.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T09:26:10.254443+00:00	Ruby Importer	Affected by	VCID-hjcr-1st5-v3dg	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphql/CVE-2025-27407.yml	38.6.0
2026-06-12T22:21:15.905584+00:00	GitLab Importer	Affected by	VCID-u1pb-z884-8fby	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/graphql/GHSA-3h96-34p3-xm76.yml	38.6.0
2026-06-12T19:54:48.911749+00:00	GitLab Importer	Affected by	VCID-hjcr-1st5-v3dg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/graphql/CVE-2025-27407.yml	38.6.0