Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/graphql@2.3.4
Typegem
Namespace
Namegraphql
Version2.3.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.3.23
Latest_non_vulnerable_version2.6.1
Affected_by_vulnerabilities
0
url VCID-hjcr-1st5-v3dg
vulnerability_id VCID-hjcr-1st5-v3dg
summary graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27407.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27407.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27407
reference_id
reference_type
scores
0
value 0.01361
scoring_system epss
scoring_elements 0.80652
published_at 2026-06-13T12:55:00Z
1
value 0.01361
scoring_system epss
scoring_elements 0.80644
published_at 2026-06-14T12:55:00Z
2
value 0.01361
scoring_system epss
scoring_elements 0.8064
published_at 2026-06-12T12:55:00Z
3
value 0.01361
scoring_system epss
scoring_elements 0.80579
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27407
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27407
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27407
3
reference_url https://github.com/rmosolgo/graphql-ruby
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rmosolgo/graphql-ruby
4
reference_url https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphql/CVE-2025-27407.yml
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphql/CVE-2025-27407.yml
6
reference_url https://lists.debian.org/debian-lts-announce/2025/08/msg00002.html
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/08/msg00002.html
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27407
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27407
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100442
reference_id 1100442
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100442
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2351767
reference_id 2351767
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2351767
10
reference_url https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
reference_id 28233b16c0eb9d0fb7808f4980e061dc7507c4cd
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
11
reference_url https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
reference_id 2d2f4ed1f79472f8eed29c864b039649e1de238f
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
12
reference_url https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
reference_id 5c5a7b9a9bdce143be048074aea50edb7bb747be
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
13
reference_url https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
reference_id 6eca16b9fa553aa957099a30dbde64ddcdac52ca
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
14
reference_url https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
reference_id d0963289e0dab4ea893bbecf12bb7d89294957bb
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
15
reference_url https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
reference_id d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
16
reference_url https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
reference_id e3b33ace05391da2871c75ab4d3b66e29133b367
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
17
reference_url https://github.com/advisories/GHSA-q92j-grw3-h492
reference_id GHSA-q92j-grw3-h492
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q92j-grw3-h492
18
reference_url https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
reference_id GHSA-q92j-grw3-h492
reference_type
scores
0
value 9.1
scoring_system cvssv3
scoring_elements
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
3
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
4
value CRITICAL
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
19
reference_url https://github.com/github-community-projects/graphql-client
reference_id graphql-client
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://github.com/github-community-projects/graphql-client
20
reference_url https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
reference_id patch-release-gitlab-17-9-2-released
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T18:41:38Z/
url https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
21
reference_url https://access.redhat.com/errata/RHSA-2025:3490
reference_id RHSA-2025:3490
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3490
22
reference_url https://access.redhat.com/errata/RHSA-2025:3491
reference_id RHSA-2025:3491
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3491
23
reference_url https://access.redhat.com/errata/RHSA-2025:3492
reference_id RHSA-2025:3492
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3492
24
reference_url https://access.redhat.com/errata/RHSA-2025:4576
reference_id RHSA-2025:4576
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4576
fixed_packages
0
url pkg:gem/graphql@2.3.21
purl pkg:gem/graphql@2.3.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u1pb-z884-8fby
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/graphql@2.3.21
1
url pkg:gem/graphql@2.4.13
purl pkg:gem/graphql@2.4.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u1pb-z884-8fby
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/graphql@2.4.13
aliases CVE-2025-27407, GHSA-q92j-grw3-h492
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hjcr-1st5-v3dg
1
url VCID-u1pb-z884-8fby
vulnerability_id VCID-u1pb-z884-8fby
summary 
GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens
GraphQL-Ruby's `max_query_string_tokens` configuration didn't count
comment tokens against the limit, allowing strings to be processed
even after the configured maximum had actually been reached.

In patched versions, the Ruby lexer does count these tokens.

GraphQL-CParser is not affected by this problem.

`max_query_string_tokens` was introduced in v2.3.1. Each 2.x
version has received a new patch release for including a fix.
references
0
reference_url https://github.com/rmosolgo/graphql-ruby
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rmosolgo/graphql-ruby
1
reference_url https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-3h96-34p3-xm76
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-3h96-34p3-xm76
2
reference_url https://github.com/advisories/GHSA-3h96-34p3-xm76
reference_id GHSA-3h96-34p3-xm76
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3h96-34p3-xm76
fixed_packages
0
url pkg:gem/graphql@2.3.23
purl pkg:gem/graphql@2.3.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/graphql@2.3.23
1
url pkg:gem/graphql@2.4.18
purl pkg:gem/graphql@2.4.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/graphql@2.4.18
2
url pkg:gem/graphql@2.5.26
purl pkg:gem/graphql@2.5.26
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/graphql@2.5.26
3
url pkg:gem/graphql@2.6.1
purl pkg:gem/graphql@2.6.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/graphql@2.6.1
aliases GHSA-3h96-34p3-xm76
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u1pb-z884-8fby
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/graphql@2.3.4