CVE-2025-27098

HIGH EPSS 25.5%
Published Feb 20, 20251y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Feb 20, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any client to access the files in the server's file system. When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`. Users have two options to fix vulnerability; 1. Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18` 2. Remove `staticFiles` option from the configuration, and use other solutions to serve static files.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
25.5% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 2

VendorProductVersionRange
the-guildgraphql_mesh_cli*≥0.78.0  –  <0.82.22
the-guildgraphql_mesh_http* <0.3.19

References 1

  • github.com https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g
    ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.