Imechapishwa: Mar 14, 2025 17:15
Advisory No: TZCERT-SA-25-0070
Source: GitHub
Software Affected: graphql
A critical vulnerability is affecting GraphQL. Exploitation of this vulnerability may allow an attacker to execute remote code.
OpenSSH versions 6.8p1 to 9.9p1 are affected by vulnerabilities tracked as CVE-2025-26465, and CVE-2025-26466 with CVSS scores of 9.8 and 9.1. The vulnerability results from loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) including those that use GraphQL::Client to load external schemas via GraphQL introspection. The vulnerability allows attackers to execute remote code on the affected system.
Successful exploitation of this vulnerability may allow the attackers to take control of the affected system.
GraphQL has released security patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
