## https://sploitus.com/exploit?id=FFC85C8E-682E-5D90-B909-564D29F83F58
# PoC_CVE-2025-27407
Proof of concept for a remote code execution issue in GraphQL-Ruby when loading a crafted introspection schema.
## Disclaimer
Important. This repository is for educational and research purposes only. Do not use this code against systems you do not own or have explicit permission to test. Run it only in isolated, controlled environments.
## Vulnerability summary
This PoC targets GraphQL-Ruby `2.4.12`. A malicious introspection schema (`app/schema.json`) contains a specially crafted input field name that is not safely handled during schema construction. When `GraphQL::Schema.from_introspection` parses it, the payload is evaluated as Ruby code, resulting in command execution. The PoC writes the output of `id` to `/tmp/pwned` to demonstrate impact.
## How to run
You can run locally with Ruby or inside Docker.
### Option 1: Docker
```bash
docker build -t poc-cve-2025-27407 .
docker run --rm -it poc-cve-2025-27407
```
Inside the container:
```bash
ruby exploit.rb
```
### Option 2: Local Ruby
```bash
cd app
bundle install
ruby exploit.rb
```
## Expected output
If the vulnerable version is used, the script should print `PWNED` and show the contents of `/tmp/pwned`. If it is not vulnerable or execution is blocked, you will see `Not pwned`.