{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27098", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-18T16:44:48.765Z", "datePublished": "2025-02-20T20:13:01.242Z", "dateUpdated": "2025-02-20T21:04:05.183Z"}, "containers": {"cna": {"title": "Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler in graphql-mesh", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g"}], "affected": [{"vendor": "ardatan", "product": "graphql-mesh", "versions": [{"version": "@graphql-mesh/cli: >= 0.78.0, < 0.82.22", "status": "affected"}, {"version": "@graphql-mesh/http: < 0.3.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-20T20:13:17.690Z"}, "descriptions": [{"lang": "en", "value": "GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any client to access the files in the server's file system. When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`. Users have two options to fix vulnerability; 1. Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18` 2. Remove `staticFiles` option from the configuration, and use other solutions to serve static files."}], "source": {"advisory": "GHSA-j2wh-wrv3-4x4g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-20T21:03:28.726181Z", "id": "CVE-2025-27098", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T21:04:05.183Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27098", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-20T21:03:28.726181Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T21:03:59.191Z"}}], "cna": {"title": "Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler in graphql-mesh", "source": {"advisory": "GHSA-j2wh-wrv3-4x4g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ardatan", "product": "graphql-mesh", "versions": [{"status": "affected", "version": "@graphql-mesh/cli: >= 0.78.0, < 0.82.22"}, {"status": "affected", "version": "@graphql-mesh/http: < 0.3.19"}]}], "references": [{"url": "https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g", "name": "https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any client to access the files in the server's file system. When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`. Users have two options to fix vulnerability; 1. Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18` 2. Remove `staticFiles` option from the configuration, and use other solutions to serve static files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-20T20:13:17.690Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27098", "state": "PUBLISHED", "dateUpdated": "2025-02-20T21:04:05.183Z", "dateReserved": "2025-02-18T16:44:48.765Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-20T20:13:01.242Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:the-guild:graphql_mesh_cli:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "17A62D98-E1B7-47BE-8164-FEFB982D6FCD", "versionEndExcluding": "0.82.22", "versionStartIncluding": "0.78.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:the-guild:graphql_mesh_http:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "96E4C839-3476-4DEC-84A9-8D58BDC2A0A7", "versionEndExcluding": "0.3.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any client to access the files in the server's file system. When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`. Users have two options to fix vulnerability; 1. Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18` 2. Remove `staticFiles` option from the configuration, and use other solutions to serve static files."}, {"lang": "es", "value": "GraphQL Mesh es un framework de trabajo y puerta de enlace de GraphQL Federation tanto para GraphQL Federation como para subgrafos que no son de GraphQL Federation, servicios que no son de GraphQL, como REST y gRPC, y tambi\u00e9n bases de datos como MongoDB, MySQL y PostgreSQL. La vulnerabilidad de falta de verificaci\u00f3n en el controlador de archivos est\u00e1ticos permite que cualquier cliente acceda a los archivos en el sistema de archivos del servidor. Cuando se configura `staticFiles` en la configuraci\u00f3n de `serve` en el archivo de configuraci\u00f3n, el siguiente controlador no verifica si `absolutePath` todav\u00eda est\u00e1 bajo el directorio proporcionado como `staticFiles`. Los usuarios tienen dos opciones para corregir la vulnerabilidad; 1. Actualizar `@graphql-mesh/cli` a una versi\u00f3n superior a `0.82.21`, y si usa `@graphql-mesh/http`, actualizarlo a una versi\u00f3n superior a `0.3.18` 2. Eliminar la opci\u00f3n `staticFiles` de la configuraci\u00f3n y usar otras soluciones para servir archivos est\u00e1ticos."}], "id": "CVE-2025-27098", "lastModified": "2025-02-27T20:18:12.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-20T21:15:26.370", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}