CVE-2025-27098

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-27098

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27098.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-27098

Aliases

GHSA-j2wh-wrv3-4x4g

Published

2025-02-20T20:13:01.242Z

Modified

2026-04-10T05:36:44.616624Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler in graphql-mesh

Details

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any client to access the files in the server's file system. When staticFiles is set in the serve settings in the configuration file, the following handler doesn't check if absolutePath is still under the directory provided as staticFiles. Users have two options to fix vulnerability; 1. Update @graphql-mesh/cli to a version higher than 0.82.21, and if you use @graphql-mesh/http, update it to a version higher than 0.3.18 2. Remove staticFiles option from the configuration, and use other solutions to serve static files.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27098.json"
}

References

Affected packages

Git / github.com/ardatan/graphql-mesh

Affected ranges

Type: GIT
Repo: https://github.com/ardatan/graphql-mesh
Events: Introduced

9735ae5680778b3ea0ed2dda0c1840b7acbfb970

Fixed

ed38e0d126e36131845f48fe5389d6141857f763

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27098.json"