Applications built on the Graphiti framework are susceptible to critical arbitrary method execution, which could allow untrusted users to perform unauthorized data modifications or system actions.

The Graphiti::Util::ValidationResponse#all_valid? method fails to validate relationship names against configured sideloads. This allows an attacker to use the send method to invoke any public method on model instances or classes via crafted JSONAPI write requests.

This flaw poses a severe threat to data integrity and system stability. An attacker could potentially call destructive methods such as destroy, delete_all, or custom administrative functions exposed in the model. With a CVSS score of 9.1, the vulnerability represents a high risk for any application exposing Graphiti endpoints to unauthenticated or untrusted users.

Immediate Action: Upgrade the Graphiti framework to version 1.10.2 or later immediately to resolve the improper input handling.

Proactive Monitoring: Audit application logs for JSONAPI requests containing unexpected relationship names or those targeting sensitive model methods.

Compensating Controls: Implement Rails strong parameters to strictly whitelist allowed attributes and ensure that write endpoints are protected by robust authentication and authorization checks.

Public Exploit Available: No

Developers must prioritize the update to Graphiti v1.10.2. If an immediate update is not possible, ensure that all write operations (POST, PATCH, DELETE) are restricted to authenticated users with the minimum necessary privileges.