{ "schema_version": "1.4.0", "id": "GHSA-j2wh-wrv3-4x4g", "modified": "2025-02-20T22:51:27Z", "published": "2023-02-16T18:41:07Z", "aliases": [ "CVE-2025-27098" ], "summary": "Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler", "details": "### Summary\nMissing check vulnerability in the static file handler allows any client to access the files in the server's file system\n\n### Details\nWhen `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`;\n\n```ts\n if (staticFiles) {\n router.get('/:relativePath+', async request => {\n let { relativePath } = request.params;\n if (!relativePath) {\n relativePath = 'index.html';\n }\n const absolutePath = path.join(baseDir, staticFiles, relativePath);\n if (absolutePath.includes(staticFiles) && (await pathExists(absolutePath))) {\n const readStream = fs.createReadStream(absolutePath);\n return new Response(readStream as any, {\n status: 200,\n });\n }\n return undefined;\n });\n ```\n\n### Example scenario\nTo reproduce it, set `staticFiles` to the relative path of a directory in `.meshrc.yml`;\n\n```yml\nserve:\n staticFiles: ./public\n```\n\nThen start the server with `mesh dev`, and browse to `/..%2fpackage.json` then you will see the content of `package.json`. You can even go deeper to see sensitive data; `/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd`\n\n### Impact and solution\nIf `staticFiles` is set under `serve` in the configuration file. you have two options to fix vulnerability;\n\n- Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18`\n- Remove `staticFiles` option from the configuration, and use other solutions to serve static files.\n\n### Credits\nThanks [alanwillms@gmail.com](mailto:alanwillms@gmail.com) for reporting this vulnerability with details", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "@graphql-mesh/cli" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.78.0" }, { "fixed": "0.82.22" } ] } ] }, { "package": { "ecosystem": "npm", "name": "@graphql-mesh/http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.3.19" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/Urigo/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g" }, { "type": "WEB", "url": "https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27098" }, { "type": "WEB", "url": "https://github.com/Urigo/graphql-mesh/commit/95d93e7c140c2995b37e9d822aa3fe4e24ed2e78" }, { "type": "PACKAGE", "url": "https://github.com/Urigo/graphql-mesh" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-02-16T18:41:07Z", "nvd_published_at": "2025-02-20T21:15:26Z" } }