VulnerableCode Package Details - pkg:gem/graphql@2.4.13

Search for packages

Vulnerability	Summary	Fixed by
VCID-u1pb-z884-8fby Aliases: GHSA-3h96-34p3-xm76	GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens GraphQL-Ruby's `max_query_string_tokens` configuration didn't count comment tokens against the limit, allowing strings to be processed even after the configured maximum had actually been reached. In patched versions, the Ruby lexer does count these tokens. GraphQL-CParser is not affected by this problem. `max_query_string_tokens` was introduced in v2.3.1. Each 2.x version has received a new patch release for including a fix.	2.4.18 Affected by 0 other vulnerabilities. 2.5.26 Affected by 0 other vulnerabilities. 2.6.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-u1pb-z884-8fby
Aliases:
GHSA-3h96-34p3-xm76

GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens GraphQL-Ruby's `max_query_string_tokens` configuration didn't count comment tokens against the limit, allowing strings to be processed even after the configured maximum had actually been reached. In patched versions, the Ruby lexer does count these tokens. GraphQL-CParser is not affected by this problem. `max_query_string_tokens` was introduced in v2.3.1. Each 2.x version has received a new patch release for including a fix.

2.4.18
Affected by 0 other vulnerabilities.

2.5.26
Affected by 0 other vulnerabilities.

2.6.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hjcr-1st5-v3dg	graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.	CVE-2025-27407 GHSA-q92j-grw3-h492

Vulnerability

Summary

Aliases

VCID-hjcr-1st5-v3dg

graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.

CVE-2025-27407
GHSA-q92j-grw3-h492

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T15:13:20.117991+00:00	GitLab Importer	Fixing	VCID-hjcr-1st5-v3dg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/graphql/CVE-2025-27407.yml	38.6.0
2026-06-12T22:21:16.044263+00:00	GitLab Importer	Affected by	VCID-u1pb-z884-8fby	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/graphql/GHSA-3h96-34p3-xm76.yml	38.6.0
2026-06-12T07:54:08.818974+00:00	GithubOSV Importer	Fixing	VCID-hjcr-1st5-v3dg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-q92j-grw3-h492/GHSA-q92j-grw3-h492.json	38.6.0