A flaw was found in graphql-ruby. In affected versions of graphq-ruby, loading a malicious schema definition in the GraphQL::Schema.from_introspection or the GraphQL::Schema::Loader.load can cause remote code execution. Any system that loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Mitigation A successful exploitation of this flaw requires GraphQL schema loading. Limiting the schema loading to trusted or authenticated users will limit the impact of the vulnerability. Coupling that with a strict input validation for all GraphQL schema being loaded would reduce the risk of a successful attack and cover as a possible mitigation strategy for this…Read More